Nytro Posted November 6, 2014 Report Posted November 6, 2014 How To Steal $999,999.99 From Visa Contactless Cards Without PIN. Posted on November 6, 2014 by Waqas Findings from the newly submitted research paper at Newcastle University will shock many of the people using VISA contactless payment system. Amazing aspect of the research is that it doesn’t involve any kind of hack, it’s just a trick that can force contactless payment owners to pay much more than they were willing to spend. Such an attack is a special type of Man in the Middle (MitM) attack. So, fasten your seat belts and get ready because something quite astonishing is about to be unraveled! Let’s first look at how contactless bank payment system work. Contactless bank payment (relies on near field communication technology) allows it’s users to pay on the wavier of the card at the payment terminal (card must be within 5cm of the terminal to work). The system is widely used at a number of places (London’s Oyster and Sydney’s Opal are the examples) to charge the users instantaneously. When a user waivers the card through electromagnetic field, an antenna inside the card produces a small current and this wakes up the chip inside the card which reads the data, makes the calculations and provides the reply. Now you must be wondering what’s wrong with the system. Really, there is a massive loop hole in the system let me unravel it. Consider a rigged payment terminal put into place and it detects your card for payment. Though, for only small transactions (less than $20) no pin is required but serious cash can be made if machine can trick through large number of cards each day. It’s like a magnetic field that is always looking to attract different types of materials. Researchers when researched deep into this problem, they found number of concerns over the usage of cards and the related policies: 1. When using VISA cards for foreign payments, the restriction of entering PIN for payments over 20 pounds is omitted. 2. When paying in foreign currency, the official restriction in term of local currency for the payment is omitted. And the card can be charged amount as large as 8-figures. So, if you are in UK your card can be charged up to US$999,999.99 (Not a bad deal for an ordinary thieve J) 3. When paying offline over 100 pounds in foreign currency, security for the payment is reduced and the card is made committed for the transaction without even involving the bank.Though, researchers are not yet sure if transactions exceeding the available balance are allowed or not but once the transaction is made offline the thieve can easily create fake document to claim money or show the money belongs to him and the real owner only gets updates once the transaction is processed. Another concern that is not related to the usage of cards but the terminals: 1 Terminals can even work as spying tool, as many people use these NFC terminals to have the information to their smartphones offline and if rigged these terminal can easily gather information from the people’s smartphones.So, what should be done to stop this from becoming a reality? Well, the researchers have listed some important tips for the contactless payment system and the developers. Tip for the developers: 1. Always require a PIN for foreign currencies. 2. Always require online transaction verification for foreign currencies. Tips for Technology users: 1 If you don’t travel overseas regularly, ask your bank if it offers an option to prevent transactions in foreign currencies. 2. Keep your card in a wallet or cover that blocks electromagnetic radiation so it has to be taken out to be used. 3. Do your low value payments with cash, so you don’t need contactless transactions enabled on your card at all.Sursa: http://hackread.com/how-to-steal-million-from-visa-contactless-cards/ Quote
