Researchers claim potentially serious flaw in Visa contactless payments cards in the UK

 

This morning a BBC report showed researcher claims of a potentially very serious vulnerability in Visa contactless payments. It is still not clear enough to what extent this could open the door for fraudsters around the world to use the flaw but from what was presented it seems this could be an expensive problem, most unwelcome at this time.

image

 

Contactless payments cards allow people to make purchases below a certain value by just touching the card against a Point of Sale (POS) terminal. People do not need to enter a PIN except when prompted, after a certain number of transactions.Visa and MasterCard have been active in rolling out these cards across the UK, and indeed world-wide this trend has progressed strongly this year.

 

Spend on contactless cards in the UK is expected to rise to £6.4 million a week in 2014, up from £3.2 million in 2013. UK is a leader in contactless payments world-wide, making the latest discovery a point for people around the world to consider and take into account in their own projects and testing involving contactless payments.

 

Today, a demonstration on BBC showed a mobile based contactless payment card meant to block transactions higher than £20 actually allowed an amount of $ 999999.99 to be put through as it was in a foreign currency. The claim was that the flaw is with Visa contactless cards, and not just payment via mobile phones, although the demonstration was of a mobile initiated transaction. Prof AAD Van Moorsel of Newcastle University made a statement about the research and vulnerabilities they found.

 

Due to the widespread roll out of these cards in the UK, it is possible that people have these cards without being aware of it. There are 48 million contactless cards in the UK today.

 

image

 

Visa Europe responded to the BBC on this to say the research does not take into account the multiple safeguards put into place and in practice it would be difficult to complete such a transaction. Of course, the amount would go through only if the account had the money. They were already updating their system anyway to make this kind of attack difficult.

image

 

This could be a potentially very big issue, but found by researchers before it was exploited by criminals.  BBC states that so far in the UK contactless card fraud was only £51,000  in the first half of 2014, but then most people have not actually begun to use the contactless functionality on the  cards.

This is an unfortunate setback at a time when contactless payments was at last set to take off. In the UK, with new rules having come into effect in July 2014, contactless cards were to be the mainstay of payments on London buses where cash is no longer accepted.

 

The question this raises for me is to what extent this flaw may be present in other cases of  contactless payments in Europe and world-wide. The reports so far do not make it conclusively clear at what level this flaw exists – whether only for dematerialised cards on mobile phones or for all Visa contactless payments cards.

 


This entry was posted in Card Fraud, contactless payments, Europe, Mobile Payments, Security, UK by Charmaine Oak. Bookmark the permalink.

About Charmaine Oak

Charmaine Oak is the practice lead for Digital Money at Shift Thought. She has over 27 years of experience of creating and delivering solutions to market. Her skills and experience are at the intersection of mobile, banking and payments. She brings a unique perspective, having contributed to significant ventures at leading global companies: Western Union - one of the world’s largest financial brands, France Telecom/Orange – a leading mobile operator, Royal Bank of Scotland – a leading bank, LogicaCMG – the Pioneer in SMS and Wipro – one of the world's largest IT service providers.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.