Researchers on Wednesday at the 21st ACM Conference on Computer and Communications Security, detailed the attack which rely on a “rogue POS terminal” running on a mobile device that could be pre-set to a large amount of money, a wireless transfer of up to 999,999.99 units in any currency.
Security researchers from
Newcastle University in the UK have found a way to steal larger amounts of money from people's pockets using just a mobile phone, due to a security glitch Visa’s contactless payment cards.
Contactless payment cards use a cryptoprocessor and RFID technology to perform secure transactions without a need to insert the card in a reader, even an NFC-equipped mobile device may also be used as a payment card. But there is a specified limits country-wise.
Contactless payment cards are meant to have a limit of £20 per purchase in UK, using which shoppers can buy things by simply tapping their card on a scanner, without having to type in a PIN. But exploiting a flaw in its protocol could allow cyber criminals to manipulate the cards to transfer up to $999,999.99 in foreign currency into a scammer’s account.
'Multiple safeguards'
They said transactions with the card were approved in less than a second.
"All the checks are carried out on the card rather than the terminal, so at the point of transaction there is nothing to raise suspicions," said Martin Emms, lead researcher on the project.
"By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."
He acknowledged the study had not looked at the security systems banks have in place to prevent fraud.
But he added it was not clear, looking at the payment protocol, how banks would deal with the problem.
Visa said it had reviewed the research and it did not take into account "multiple safeguards put into place throughout the Visa system".
"For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment," its statement said.
The good news is that the research team haven’t tested how Visa’s system reacted to a rush of foreign currency transfers, and whether it would flag them up as a possible fraud or not.
But the experts are worried that the contactless payment cards system is insecure, and that cybercriminals would likely use the flaw to set up hundreds or thousands of fraudulent transactions in smaller amounts to evade detection.
"Our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system," Emms said.
In a report on the BBC, Visa Europe said that "we have reviewed Newcastle's findings as part of our continued focus on security and beating payments fraud" and that their research "does not take into account the multiple safeguards put into place throughout the Visa system", adding that it would be "very difficult to complete this type of transaction outside of a laboratory environment."
Visa Europe also said that the company is updating its protection to require more payment card transactions to be authenticated online, making this kind of attack more difficult to carry out.
source:
http://www.bbc.com/news/uk-england-tyne-29862080
http://www.ncl.ac.uk/press.office/press.release/item/contactless-cards-fail-to-recognise-foreign-currency
