Thanks to some research conducted by researchers at a cyber security company, we’ve learned that swathes of Visa customers could be at risk of becoming victims of fraud. According to the research, a flaw exists that could allow hackers to bypass a contactless spend limit that’s imposed on Visa cards by the card issuer.

Contactless spending limits

Since contactless was introduced, the limit for payments without a chip and PIN stands at £30. For the sake of convenience, this is usually enough, such as buying a bus ticket, your lunch, or a takeaway coffee. This limitation was put in place to prevent such scenarios as a third-party finding your card on the street and emptying your bank account.

However, mobile phone payments using apps like Apple Pay don’t have the same limitation by default. Because they use your phone’s authentication method, as in your PIN or Face ID, you can make higher value purchases with the applications. The exception is when a retailer has chosen to lock down transactions over a certain value, even for mobile phone apps.

“For contactless card payments, the limit remains £30. To guarantee your security, all purchases above £30 require authentication, either through using a password-protected mobile phone, or through entering your PIN.”

Visa website

The fraud risk

The cyber security company, Positive Technologies, tested their theory on 5 major UK bank cards and found that they could bypass the £30 transaction limit in every case. What’s more, it didn’t matter which payment terminal they used to test the potential scam.

According to two experts belonging to the London-based company, the fraud works by allowing two data fields to be manipulated in the technology that drives contactless payments. This data is exchanged between the card’s chip and the payment terminal during a transaction. Where the amount being requested by the terminal is higher than £30, the card will ordinarily send a response that the transaction cannot be completed.

At this point, the terminal instructs the card holder to use additional verification, a check that is based on country-specific settings. But research found that something called a ‘man in the middle‘ attack could be used, which intercepts the devices’ communication. This attack can essentially tell the terminal that verification has already been made, whilst telling the card that it isn’t necessary.

“The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing.”

Tim Yunusov, Head of Banking Security for Positive Technologies

According to the security researchers, although this is a relatively new type of fraud attack, it could lead to an increase in ‘damaging losses for banks and their customers’.

The good news is that some banks will allow you to have a debit or credit card without contactless if you specifically request that one be sent to you. So, if you never use contactless and you’re worried about the security of your accounts, you could consider speaking to you bank. But for anything else security related, you can get in touch with WiseGuys on 0808 123 2820 and we’ll be happy to help.