Download our in-depth report: The Ultimate Guide to IT Security Vendors
The flaw is disturbingly simple: when the amount is requested in a foreign currency, the system will approve unlimited cash transactions without a PIN, while the card is still in the victim's pocket or bag.
The transactions can be valued up to 999,999.99 in any foreign currency -- while the system limits transaction in the U.K. to a maximum of £20 before a PIN is required, making the purchase in a foreign currency sidesteps the £20 limit.
"With just a mobile phone, we created a PoS terminal that could read a card through a wallet," lead researcher Martin Emms explained in a statement. "All the checks are carried out on the card rather than the terminal, so at the point of transaction, there is nothing to raise suspicions."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
And in a crowded public place, it could be very easy to do. "By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction," Emms added. "In our tests, it took less than second for the transaction to be approved."
Emms envisions a scenario in which multiple attackers distributed across the world could collect small transactions of about €200 at a time for a central rogue merchant.
"At the moment, the lowest hanging fruit with regard to payment card fraud is the magnetic stripe," researcher Aad van Moorsel said in a statement. "With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature."
The researchers presented their findings on November 5, 2014 at the ACM CCS 2014 conference in Scottsdale, Arizona.
In response to the findings, Visa provided the following statement to SC Magazine: "The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world."
"For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment."
"We are updating the safeguards in the payment system to require more transactions to come online for authentication, making it even more difficult to make this kind of fraudulent attack," the company added. "This process was already underway before we were made aware of the Newcastle research."