Contactless credit cards are great. They allow you to pay the smaller bills quickly without entering your PIN code. And they are still quite safe, because PIN is required when buying something more expensive. However, scientists from the ETH Zurich have found that some contactless credit cards may be less vulnerable than previously believed.
Europay, Mastercard and Visa companies established the EMV standard back in the 1990s, although it took some time for it to be implemented. It’s been updated several times since when, but the basic functionality remained the same – this standard enables the contactless payments without additional security risks. Obviously, people still have to be cautious – there are ways to steal credit card information or use the stolen card. However, in general we feel safe about them.
Scientists developed a model to test the security of these contactless credit cards. And they managed to find a critical gap in a protocol used by credit card company Visa (it doesn’t concern cards from other companies). This loophole may allow some criminals to use a lost or stolen card without the PIN to make bigger purchases. The silver lining of this very dark cloud is that the process of using those contactless credit cards in a fraudulent way is very complicated.
Scientists have developed a special Android App and installed it on NFC-enabled mobile devices. Interestingly, standard Android smartphones were used and no integral security had to be overcome. The system is used like this:
- the first phone scans the credit card and transfers information about it to the second phone;
- the second phone is used to debit the set amount at the checkout of some store or other place of business;
- vendor doesn’t realize the card is stolen, nothing suspicious about this activity;
- the special Android app removes the need to enter a PIN to complete the transaction even if a bigger amount of money is being spent.
Demonstration of the Visa security problem
So you do need an App to achieve this, but it does work. Scientists were able to test and demonstrate the principle using their own credit cards. Jorge Toro Pozo, one of the authors of the study, said: “Three changes should be made to the protocol, which could then be installed in the payment terminals with the next software update. It could be done with minimum effort. There is no need to replace the cards and all changes comply with the EMV standard”.
This scam works with different Visa cards issued in different countries operating with different currencies. Scary? Well you should actually be happy – scientists found a weak point in the system and it can now be patched. Although it may look like bad news, this study will ultimately help improving the security of this technology that we use pretty much daily.
Source: ETH Zurich