Researchers have discovered that the £30 limit on Visa contactless cards can be avoided which enables criminals to rinse a victim’s bank account without touching the card.
Researchers at the tech firm Positive Technologies said cards from five different UK banks are vulnerable to the hack. The hack uses a device to intercept communication between a card and payment terminal. It tells the card that there is no verification is needed and then telling the terminal that it has already been provided, this means it removes the £30 limit.
Tim Yunusov, Head of Banking Security for Positive Technologies said: “The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing,”
He added: “While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.”
The amount of money stolen from contactless cards and devices increased from £6.7 million in 2016 to £14 million in 2017. Although banks have systems which flag up suspicious transactions the researchers were able to make payments of £100 via contactless without being detected.
Leigh-Anne Galloway, head of cybersecurity resilience at Positive Technologies said: “While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion. Because of this, we can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard.
“Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless.”
Visa said they will not update their systems to overrule the hack as it was not a “scalable fraud”.
Visa made a statement to Sky News, it said: “Visa takes all security threats to payments seriously, and we appreciate industry and academic efforts to harden payment security. Consumers should continue to use their Visa cards with confidence.”
