Researchers on Wednesday at the 21st ACM Conference on Computer and
Communications Security, detailed the attack which rely on a “rogue POS
terminal” running on a mobile device that could be pre-set to a large
amount of money, a wireless transfer of up to 999,999.99 units in any
currency.
Security researchers from Newcastle University in the UK have found a way to steal larger amounts of money from people's pockets using just a mobile phone, due to a security glitch Visa’s contactless payment cards.
Contactless payment cards use a cryptoprocessor and RFID technology to perform secure transactions without a need to insert the card in a reader, even an NFC-equipped mobile device may also be used as a payment card. But there is a specified limits country-wise.
Contactless payment cards are meant to have a limit of £20 per purchase in UK, using which shoppers can buy things by simply tapping their card on a scanner, without having to type in a PIN. But exploiting a flaw in its protocol could allow cyber criminals to manipulate the cards to transfer up to $999,999.99 in foreign currency into a scammer’s account.
'Multiple safeguards'
But the experts are worried that the contactless payment cards system is insecure, and that cybercriminals would likely use the flaw to set up hundreds or thousands of fraudulent transactions in smaller amounts to evade detection.
"Our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system," Emms said.
In a report on the BBC, Visa Europe said that "we have reviewed Newcastle's findings as part of our continued focus on security and beating payments fraud" and that their research "does not take into account the multiple safeguards put into place throughout the Visa system", adding that it would be "very difficult to complete this type of transaction outside of a laboratory environment."
Visa Europe also said that the company is updating its protection to require more payment card transactions to be authenticated online, making this kind of attack more difficult to carry out.
source:
http://www.bbc.com/news/uk-england-tyne-29862080
http://www.ncl.ac.uk/press.office/press.release/item/contactless-cards-fail-to-recognise-foreign-currency
Security researchers from Newcastle University in the UK have found a way to steal larger amounts of money from people's pockets using just a mobile phone, due to a security glitch Visa’s contactless payment cards.
Contactless payment cards use a cryptoprocessor and RFID technology to perform secure transactions without a need to insert the card in a reader, even an NFC-equipped mobile device may also be used as a payment card. But there is a specified limits country-wise.
Contactless payment cards are meant to have a limit of £20 per purchase in UK, using which shoppers can buy things by simply tapping their card on a scanner, without having to type in a PIN. But exploiting a flaw in its protocol could allow cyber criminals to manipulate the cards to transfer up to $999,999.99 in foreign currency into a scammer’s account.
'Multiple safeguards'
They said transactions with the card were approved in less than a second.
"All
the checks are carried out on the card rather than the terminal, so at
the point of transaction there is nothing to raise suspicions," said
Martin Emms, lead researcher on the project.
"By
pre-setting the amount you want to transfer, you can bump your mobile
against someone's pocket or swipe your phone over a wallet left on a
table and approve a transaction."
He acknowledged the study had not looked at the security systems banks have in place to prevent fraud.
But he added it was not clear, looking at the payment protocol, how banks would deal with the problem.
Visa
said it had reviewed the research and it did not take into account
"multiple safeguards put into place throughout the Visa system".
"For
these reasons we do not believe the findings to be a cause for concern,
as it would be very difficult to complete a fraudulent payment of this
kind outside a laboratory environment," its statement said.
The
good news is that the research team haven’t tested how Visa’s system
reacted to a rush of foreign currency transfers, and whether it would
flag them up as a possible fraud or not.But the experts are worried that the contactless payment cards system is insecure, and that cybercriminals would likely use the flaw to set up hundreds or thousands of fraudulent transactions in smaller amounts to evade detection.
"Our research has identified a real vulnerability in the payment protocol, which could open the door to potential fraud by criminals who are constantly looking for ways to breach the system," Emms said.
In a report on the BBC, Visa Europe said that "we have reviewed Newcastle's findings as part of our continued focus on security and beating payments fraud" and that their research "does not take into account the multiple safeguards put into place throughout the Visa system", adding that it would be "very difficult to complete this type of transaction outside of a laboratory environment."
Visa Europe also said that the company is updating its protection to require more payment card transactions to be authenticated online, making this kind of attack more difficult to carry out.
source:
http://www.bbc.com/news/uk-england-tyne-29862080
http://www.ncl.ac.uk/press.office/press.release/item/contactless-cards-fail-to-recognise-foreign-currency
0 comments:
Post a Comment