Researchers from Newcastle University in the UK have discovered a way to authorize transactions using VISA contactless payment cards beyond the pre-set spending limit. If the transaction is specified in a foreign currency, it will proceed at larger amounts.
VISA contactless cards use a cryptoprocessor and RFID technology to perform secure payments without having to insert the card in a reader. An NFC-equipped mobile device may also be used as a payment card. In Europe they are debit cards and have a hard limit per transaction. In the UK the limit is £20, in Ireland €15. In Germany the limit is €25, but you can pay larger amounts by also providing a PIN or signature. In the US, where VISA uses the brand name payWave for the technology, the no-PIN limit is set by the merchant, and larger amounts may be specified with a PIN or signature.
Using the Newcastle technique, a thief with a stolen VISA contactless card could make payments for amounts larger than the limit without having a PIN or using a signature. According to the researchers, the limit is checked only in the native currency for the buyer; any amount up to 999,999.99 of a foreign currency will be approved. The VISA site says that the buyer will be challenged for a PIN periodically even when the purchase is under the limit.
We contacted VISA and have not received a response. In a report on the BBC VISA Europe stated that the research "does not take into account the multiple safeguards put into place" and that it would "be very difficult to complete this type of transaction outside of a laboratory environment." The researchers, led by Martin Emms, defend the value of the research.
In the demonstration for the BBC, Emms used a payment terminal program running on an Android phone. Because the currency and amount need to be specified on the payment terminal, it is unlikely that the attack demonstrated by Emms could be used at a genuine retail facility, but only on a rogue terminal.
Emms has published earlier research on flaws in contactless cards. In May, 2013 he showed that some contactless pay terminals, which are designed also to accept contact-based chip and PIN cards, may read a nearby contactless card when the buyer intends to use a contact card. The VISA Europe site now states that safeguards are in place to prevent this and similar errors.