Security breach allows Visa cards to spend more than € 30 in contactless payment

Hackers manage to take virtual possession of Visa cards and bypass the spending limit of 30 € with contactless. 

Although researchers have mostly observed this fraud in the UK, it can still take place outside the country.

Fault tested for five major UK banks

Five British banks have been tested by the researchers: for all, the blocking of the threshold of £ 30 (or € 32.92) as the verification of contactless (in the United Kingdom, an additional secret verification code is required to validate the payments over £ 30) did not work with the Visa cards tested. 

The researchers also noted that the test performed was done outside the country, always with Visa cards. Bypassing the contactless payment limit appears possible to the extent that Visa does not require issuers and acquirers to perform controls that block payments without minimum checks.

The discovery of this flaw highlights a lack of serious security. Visa and the issuing banks should impose such controls. In addition, banks should have their own tools to detect and block the circumvention device.

The operation of the attack

In fact, the payment limit is circumvented by a device that intercepts the communication between the card and the terminal. This tool intervenes as a proxy, indicating in the first place to the card that it does not need to request additional checks (such as the famous secret code), even if the amount to be paid exceeds £ 30. 

This same device then indicates to the terminal that the verification has been carried out. As the controls of issuers and acquirers are not mandatory, the payment is validated, contactless and of course, without the need for any secret code to validate the purchase. 

Similarly, if you added your Visa card to your mobile wallet and you pay with, be careful: the bypass is also done on this system, and it is now possible to charge you, illegally obviously, up to £ 30, without unlocking your phone. 

In the United Kingdom, these frauds amount to £ 8.4 million only for the first half of 2018. In the year 2017, frauds amounted to £ 14 million. 

This is what invite Visa cardholders to be more attentive to their account statement to detect any fraudulent use, as soon as possible. Researchers also recommend setting up the payment verification and validation system via codes received by message.