A flaw in Visa's contactless credit cards means they will approve unlimited cash transactions without a PIN when the amount is requested in a foreign currency.

New research by experts at Newcastle University, UK, has highlighted a 'glitch' in the Visa system which means their contactless cards will approve foreign currency transactions of up to 999,999.99 in any foreign currency.

Side-stepping the £20 contactless limit, transactions can be carried out while the card is still in the victim's pocket or bag. Transactions are carried out offline, avoiding any additional security checks by the bank, and although the current system requires the credit card to authenticate itself, there is currently no requirement for the POS (point of sale) terminal to do the same.

Presenting their research at the prestigious CCS 2014 academic conference in Arizona, the Newcastle team say this flaw in the system could open the door to potential fraud by criminals who are constantly looking for ways to breach the systems

"With just a mobile phone we created a POS terminal that could read a card through a wallet," explains Martin Emms, lead researcher on the project.

"All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved.

"We have not yet tested the back end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud. Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system. It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research, hence we believe the vulnerability poses a potential threat.

"The fact that we can by-pass the £20 limit makes this new hack potentially very scalable and lucrative. All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate."

Contactless cards

The ability to buy items costing up to £20 without the need to insert your card into a terminal and input a PIN has proved hugely popular despite initial fears over security.

Introduced for speed and customer convenience, the safeguards built into the EMV system (Europay, MasterCard and Visa) will limit the maximum value allowed for each contactless transaction to £20. Any amount over £20 will require the cardholder to enter their PIN.

Once a 'rogue POS terminal' has been set up – either on a mobile phone or a system similar to those placed illegally on ATM machines – the criminal inputs the amount they want to transfer.

This is then touched against the card, the transaction is approved and a code is supplied by the card – all in less than a second. This code would then be sent back to the bank to free up the funds.

"This lends itself to multiple attackers across the world collecting small transactions of perhaps €200 at a time for a central rogue merchant who could be located anywhere in the world," explains Emms, who is based in the University's Centre for Cybercrime and Computer Security.

"This previously undocumented flaw around foreign currency, combined with the lack of POS terminal authentication and the ease of skimming contactless credit cards, makes the system more vulnerable to high-value attacks."

Professor Aad van Moorsel, Head of the School of Computing Science at Newcastle University and one of the authors on the paper, added: "At the moment, the lowest hanging fruit with regard to payment card fraud is the magnetic stripe.

"With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature.

"If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited."

More information: "Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN". Martin Emms, Budi Arief, Leo Freitas, Joseph Hannon, Aad van Moorsel, School of Computing Science, Newcastle University. ACM CCS 2014 in Arizona, USA. "Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN". Martin Emms, Budi Arief, Leo Freitas, Joseph Hannon, Aad van Moorsel, School of Computing Science, Newcastle University. ACM CCS 2014 in Arizona, USA. www.sigsac.org/ccs/CCS2014/