Report: A Flaw In Visa's Contactless Card Lets Anyone Charge It $999, 999

[InfoSec News <alerts () infosecnews org>]

http://gizmodo.com/report-a-flaw-in-visas-contactless-card-lets-anyone-ch-1653974432

By Kelsey Campbell-Dollaghan
Gizmodo.com
November 3, 2014

Contactless credit cards are a hit in the UK. But a British research team 
has revealed a serious security flaw that allows anyone to charge up to 
$999,999.99 in foreign currency to a nearby card, even while it's still in 
a wallet or purse.

Contactless cards let you buy things without a pin, up to a certain limit 
(£20 in the UK), thanks to radio waves emitted from the card and picked up 
by a nearby terminal. But according to a team from Newcastle University, 
there's a serious security flaw in at least one major company's 
contactless system.

At the ACM Conference on Computer and Communications Security, which is 
going on this week in Arizona, the team explained how it's easy to set up 
a point-of-sale terminal using a phone, then create a transaction of up to 
$999,999.99. Crucially, the payment amount must be requested in foreign 
currency, otherwise the £20 limit will kick in. Here's a video of the lead 
author, Martin Emms, demonstrating the hack for the BBC.

"By pre-setting the amount you want to transfer, you can bump your mobile 
against someone's pocket or swipe your phone over a wallet left on a table 
and approve a transaction. In our tests, it took less than a second for 
the transaction to be approved,"said lEmms in a release about the study. 
"All a criminal would need to do is set up somewhere like an airport or 
the London underground where the use of different currencies would appear 
legitimate."

[...]


--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/