Researchers at Newcastle University claim to have found a security flaw in the new VISA contactless credit card released in the UK, which the company is pressing to be fully adopted by businesses accepting VISA by 2015.
According to the report, the researchers found that thieves could potentially create a ‘pocket reader’ that could be passed over a wallet laying on a surface, or bumped into someone’s purse or pocket, and charge withdraw funds from the card. They found that they were able to perform this theft with only a couple seconds to confirm the transaction.
It works by taking advantage of the fact that a chip inside the card can be read remotely if it is within the area, passing it over a scanner rather than swiping a magnetic strip through a machine.
Originally, this process was meant to limit credit card theft by making it impossible to clone a credit card (a common practice in identity theft). To curb the risk of a pocket reader being used to steal funds, a limit of £20 has been implemented in the UK, or else a pin is necessary.
The researchers found that this is bypassed if you enter a denomination in a foreign currency, such as Euros. They said that this could allow people all over the world to become victims to a single rogue merchant who is having others collect these amounts in foreign currency, which are then transferred to his account.
VISA says it isn’t really a concern, however. A number of safe guards have been put in place that protect against this eventuality outside of a lab environment, they claim, which to be fair is true of many security vulnerabilities that are found by researchers trying to exploit new products or software.
That isn’t to say it still isn’t a concern, however. It shows how quickly a workaround can be developed when a new, more secure product is released. The contactless credit card is still a fairly new process that is being slowly implemented, and yet researchers have already found a potential problem. If they have, you can bet the criminals who are having their past methods of stealing funds have gotten even further.
The findings are going to be shown in full at Arizona’s ACM Conference on Computer and Communications Security that is currently being held this week.
While VISA’s reassurances are probably true, it does bring up a lot of ‘what-ifs’. It also gives you a good reason to avoid using the contactless feature…stick with chip and pins.
Source: Wired