This morning a BBC report showed researcher claims of a potentially very serious vulnerability in Visa contactless payments. It is still not clear enough to what extent this could open the door for fraudsters around the world to use the flaw but from what was presented it seems this could be an expensive problem, most unwelcome at this time.
Contactless payments cards allow people to make purchases below a certain value by just touching the card against a Point of Sale (POS) terminal. People do not need to enter a PIN except when prompted, after a certain number of transactions.Visa and MasterCard have been active in rolling out these cards across the UK, and indeed world-wide this trend has progressed strongly this year.
Spend on contactless cards in the UK is expected to rise to £6.4 million a week in 2014, up from £3.2 million in 2013. UK is a leader in contactless payments world-wide, making the latest discovery a point for people around the world to consider and take into account in their own projects and testing involving contactless payments.
Today, a demonstration on BBC showed a mobile based contactless payment card meant to block transactions higher than £20 actually allowed an amount of $ 999999.99 to be put through as it was in a foreign currency. The claim was that the flaw is with Visa contactless cards, and not just payment via mobile phones, although the demonstration was of a mobile initiated transaction. Prof AAD Van Moorsel of Newcastle University made a statement about the research and vulnerabilities they found.
Due to the widespread roll out of these cards in the UK, it is possible that people have these cards without being aware of it. There are 48 million contactless cards in the UK today.
Visa Europe responded to the BBC on this to say the research does not take into account the multiple safeguards put into place and in practice it would be difficult to complete such a transaction. Of course, the amount would go through only if the account had the money. They were already updating their system anyway to make this kind of attack difficult.
This could be a potentially very big issue, but found by researchers before it was exploited by criminals. BBC states that so far in the UK contactless card fraud was only £51,000 in the first half of 2014, but then most people have not actually begun to use the contactless functionality on the cards.
This is an unfortunate setback at a time when contactless payments was at last set to take off. In the UK, with new rules having come into effect in July 2014, contactless cards were to be the mainstay of payments on London buses where cash is no longer accepted.
The question this raises for me is to what extent this flaw may be present in other cases of contactless payments in Europe and world-wide. The reports so far do not make it conclusively clear at what level this flaw exists – whether only for dematerialised cards on mobile phones or for all Visa contactless payments cards.