Researchers Hack Visa EMV FlawAndroid Devices Could Exploit UK Contactless Card Vulnerability
A flaw in Visa's EMV-based contactless payment card system in the United Kingdom means that attackers could potentially use foreign currency transactions to commit fraud, according to researchers at Newcastle University. In particular, the foreign currency flaw could, in theory, be exploited by any attacker using an Android smart phone who was able to get close to a contactless card, which typically has a range of about two inches, the researchers say.
But Visa discounts the possibility of real-world attackers successfully exploiting this flaw because of "multiple safeguards" that are in place.
The university researchers say they've created a proof-of-concept attack using an Android smart phone with built-in near-field communication capabilities, together with a rogue app they've developed. That app can pretend to be a point-of-sale terminal and fool contactless cards into authorizing transactions of less than €1 million ($1.3 million), which the attackers would then relay back to a rogue merchant account created in one of the 76 countries that currently accept EMV payments.
"With just a mobile phone we created a POS terminal that could read a card through a wallet," says Martin Emms, the lead researcher on the project and a Ph.D. student in Newcastle University's Center for Cybercrime and Computer Security. "All the checks are carried out on the card rather than the terminal, so at the point of transaction, there is nothing to raise suspicions. By presetting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."
The researchers behind the study plan to present a related paper Nov. 5 at the Association for Computing Machinery's Conference on Computer and Communications Security in Scottsdale, Ariz. They didn't immediately respond to a request for comment about whether this flaw might exist in other countries' payment card systems.
Visa Downplays Threat
Visa says it's aware of the researchers' findings, but discounts the possibility of real-world attackers successfully exploiting this flaw. "The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world," a Visa spokeswoman tells Information Security Media Group. "For these reasons, we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment."
But Visa's contactless system isn't the only one to include the vulnerability. "Our testing has showed that the underlying flaw also exists in MasterCard," the researchers say in their paper, noting that MasterCard has "additional security measures" in place that block related exploits.
MasterCard didn't immediately respond to a request for comment on those assertions.
Bypassing Chip and PIN
The United Kingdom uses a "Chip and PIN" system, which requires that a cardholder insert their credit or debit card into a POS terminal reader and enter their PIN code to authorize the transaction. Beginning in 2008, however, some U.K. card issuers began rolling out contactless EMV cards to authorize payments from credit, debit and prepaid cards - of up to Â£20 ($32) - simply by "bumping" the card against a compatible reader, no PIN code required.
Different versions of contactless payments are used in different countries. For the purpose of this study, however, the researchers say they found that Visa's U.K. system allows contactless payments to be made even if the terminal doesn't have an Internet connection. They also claim to have found a flaw in the EMV specification that could allow any transaction of up to €999,999.99 to be submitted, without using a cardholder's PIN, if it was submitted in a foreign currency via the contactless payment system.
For the attack demonstrated by the researchers, when an NFC-capable Android device - running their malicious app - is brought within range of a contactless payment card, the app will automatically send a transaction request to the card for a predefined amount. If the card approves it, then the card provides an Application Cryptogram as well as a Signed Dynamic Authentication Data, which will prove to the bank and the POS terminal, respectively, that the transaction is genuine. But that system doesn't include any cryptographic guarantees about the identity of the merchant, meaning attackers can add those details later.
Researchers say contactless-card attackers might function like pickpockets and hide in crowds at sporting events, or while using public transportation, to screen their activities. Furthermore, the attack is quick. "This process takes less than 500 milliseconds from card detection to transaction completion," the researchers contend, noting that attackers would likely keep their card-charging attempts to the $160 to $320 range to not make them look unusual or risk overdrawing the accounts.
Their app also stores these transactions for later, so that the attacker can "harvest" a large number of card transactions at once, without having to also have an Internet connection. That's possible because Visa's contactless EMV specification allows transactions to be conducted offline, they say.
How to Mitigate Attack
To be clear, however, the researchers say they have only tested the "pickpocket" part of the attack, and didn't attempt to create a merchant account with a bank or submit payments. "We have not yet tested the back-end of the system, and we appreciate that banks will have a number of security systems in place to prevent fraud," Emms says. "Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system."
Mitigating this flaw, however, should be easy: Visa could require all transactions to be authenticated online, or mandate that a PIN code be required for all foreign currency transactions, or both, the researchers say.
Visa says related changes are already under way. "We are updating the safeguards in the payment system to require more transactions to come online for authentication, making it even more difficult to make this kind of fraudulent attack," the Visa spokeswoman says. "This process was already under way before we were made aware of the Newcastle research."