Visa defends security of contactless cards

Visa claims it is not possible to breach the security of its contactless card payments system to empty people's accounts after researchers found contactless payment limits could be sidestepped.

Researchers at the School of Computing Science at Newcastle University in the UK this weekend published findings that claimed it was possible to bypass the £20 (A$36.65) limit on contactless payments on Visa cards by exploiting a "glitch" in the system.

The vulnerability means transactions of up to 999,999.99 in any foreign currency would be approved, according to Martin Emms, lead researcher on the Newcastle University project.

Emms said it was possible to exploit the vulnerability by reading cards in people's wallets, in locations such as airports and on public transport. 

The research said transaction checks are carried out on the cards themselves rather than terminals, a claim Visa refuted.

"We have reviewed the researchers' findings and concluded they do not take into consideration the multiple layers of security that protect Visa payWave transactions, outside of a research lab environment," a Visa Australia spokesperson told iTnews.

"Existing security measures such as online authorisation and real time risk scoring for international transactions, as well as merchant risk evaluation and monitoring, will help to prevent this type of attack outside the lab."

According to the spokesperson, most banks in Australia and New Zealand have configured their cards to send all foreign currency contactless transactions online so they can be authorised by the issuer in real-time. 

In their paper, the researchers admitted they had not tested the back-end of the contactless payments transaction authorisation system.

But they claimed the research nevertheless identified a real vulnerability in the payments protocol that could open the door to fraud by criminals.

A spokesperson for Newcastle University told SC Magazine UK the researchers had confirmed the vulnerability was real.

"The researchers did actually do it on their own cards and managed to get the whole way through, obviously not for a million, they took a few hundred euros but it went all the way through on their cards," the spokesperson said.

Visa told iTnews it welcomed various academic and professional efforts to identify and address vulnerabilities in the payments system.

"It is these kinds of efforts along with our internal monitoring and testing that allow Visa and the industry to make payments more secure for all parties involved," the spokesperson said.