Contactless card glitch could let criminals steal unlimited amounts in other currencies

Researchers claim to have found a major security flaw

Steve Connor
Tuesday 04 November 2014 17:06 GMT
Comments
Contactless transactions are supposed to be limited to a maximum of £20
Contactless transactions are supposed to be limited to a maximum of £20

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A glitch in the new contactless bank cards means that it is possible to approve unlimited cash transactions without the use of a PIN - as long as the amount is in a foreign currency, scientists have said.

The flaw could allow fraudsters to extract cash transactions from unwitting victims of up to 999,999.99 in any foreign currency using a mobile phone that has been set up to act as a contactless point-of-sale terminal, researchers at Newcastle University have claimed.

Contactless transactions – when the card is simply tapped onto a reading device at a terminal – are supposed to be limited to a maximum of £20 to limit possible fraud. However, the Newcastle scientists believe this limit can be easily breached so long as it is in a foreign currency.

“With just a mobile phone we created a POS terminal that could read a card through a wallet. All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions,” said Martin Emms, the lead researcher on the project at Newcastle.

“By presetting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved,” Dr Emms said.

However, the credit card company Visa said it had reviewed the Newcastle findings, and found they did not take into account “multiple safeguards put into place throughout the Visa system”.

It added: “For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in