Researchers have discovered that the £30 limit on Visa contactless cards can be bypassed, potentially enabling criminals to empty out victims' bank accounts without touching the card.

The team from Positive Technology tested the attack on cards provided by five major banks in the UK and successfully withdrew more than £30 each time, from accounts they had permission to target.

However, the researchers warn that the same flaws could be exploited by criminals who, thanks to contactless technology, could take a single large payment from a card without even touching it.

The hack itself uses a device which intercepts the communications between the card and the payment terminal, telling the card that no verification is needed and then telling the terminal that it has already been provided.

"This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification," the experts said.


Researcher Leigh-Anne Galloway explained to Forbes that the vulnerability in Visa's payments system could expose contactless card holders to an increased risk of fraud.

"It means if you found someone's card or if someone stole your card, they wouldn't have to know your PIN, they wouldn't have to impersonate your signature, and they could make a payment for a much higher value."

Although banks have internal systems which flag up suspicious transactions, both Ms Galloway and her colleague Timur Yunusov found they were able to make payments of £100 without being detected.

According to UK Finance, contactless fraud increased from £6.7m in 2016 to £14m in 2017 and the trend appears to be continuing although more recent data is not available.

Image: Visa stated it did not expect the flaw would be widely exploited

Although the majority of fraud cases involved cards being used after being stolen or lost rather than "skimmed" or secretly charged while in the victim's pocket, the bypass would remove the £30 limit in both instances.

"The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing," said Mr Yunusov, who heads Positive's bank security team.

"While it's a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."

Visa told Forbes that it was not going to update its systems to address the hack, claiming that it was "not a scalable fraud" which it would expect to see criminals employ, but it did not dispute the existence of the vulnerability.

In a statement to Sky News, it said: "Visa takes all security threats to payments seriously, and we appreciate industry and academic efforts to harden payment security. Consumers should continue to use their Visa cards with confidence."