A “major flaw” has been discovered within Visa contactless cards, where thieves in the U.K. were to sidestep a £20 limit and charge as much as £999,999.99 as long as they chose the option to select a foreign currency, according to a report in The Daily Mail. That limit allows transactions to be completed without keying in a PIN.
Researchers at Newcastle University made the discovery, the paper reported, after they discovered that the limit had not been properly programmed for foreign currency.
“All the checks are carried out on the card rather than the terminal, so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction,” the researchers told the paper. “All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.”
The researchers said the setup was minimal. “Once the rogue POS terminal had been set up – either on a mobile phone or a system similar to those placed illegally on ATM machines – they were able to input the amount they wanted to transfer. When touched against the card, the transaction was automatically approved and a code was supplied by the card – all in less than a second,” the story said. “This code would then be sent back to the bank to free up the funds.”
But a spokesman for Visa Europe told MailOnline: “We have reviewed Newcastle’s findings as part of our continued focus on security and beating payments fraud. The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world. For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.”