Researchers criticize Visa and wider payment industry for disclosure response
Vulnerabilities in contactless payments pose a threat to the integrity of the increasingly popular payment model, security researchers have warned.
Contactless (NFC) payments, first introduced in 2007, are becoming more and more commonplace, accounting for 40% of transactions globally, and fast replacing both cash and earlier chip and PIN verification methods as a preferred method of payment.
Leigh-Anne Galloway, a payment security researcher at Positive Technologies (PT), and her colleague Tim Yunusov, a security researcher also with PT, have discovered several problems in the security of contactless payments.
During a presentation at the Black Hat Europe conference in London today (December 4) the researchers demonstrated for the first time how to bypass the UK £30 ($39) limit for contactless payments made using physical cards.
The trick involves presenting a physical card as if it were a software token on a smartphone, bypassing Visa’s limits in the process.
Related trickery can be used to circumvent limits for mobile wallets using locked mobile phones.
Over the limit: A contactless transaction of £31.00
Time for a shake-up
The researchers also discovered issues in the cryptographic protocol behind NFC payments – in particular, flaws were found in the generation keys values, the unpredictable number (UN), and application transaction counter (ATC).
These shortcomings make it possible to clone transactions.
Some of the problems in contactless stem from use of protocols much older than the technology itself, Galloway and Yunusov explained, including the magstripe mode and EMV (Europay, MasterCard, and Visa) protocols.
In another first, the researchers performed a pre-play attack using EMV without downgrading to legacy modes.
Yunusov told The Daily Swig that the attack was possible because of a lack of checks by card issuing banks. Galloway and Yunusov privately disclosed their research to Mastercard, Visa and a number of banks before publicly demonstrating the hacks that they had uncovered.
“Visa are aware of the issues but don’t see any problems,” Yunusov said. Mastercard, which has a greater presence in Europe, is less exposed.
The researchers have no direct evidence that cybercriminals are using or offering for sale hacks based on the security shortcomings they have outlined. The majority of fraud relies on more basic techniques and easier pickings.
According to Visa, the company’s global contactless fraud rate declined by 33% between 2017 and 2018 – and by 40% in Europe over the same period.
“Using the same secure technology as EMV Chip, contactless cards are extremely effective in preventing counterfeit fraud by using a one-time use code that prevents compromised data from being re-used for fraud,” a Visa spokesperson told The Daily Swig in line with the researchers’ presentation.
Galloway and Yunusov nonetheless hope that their research will help “shake-up the industry” or at least encourage payment providers to discount invalid assumptions and re-examine systems.
Galloway told The Daily Swig: “If you were to report an issue to a more mainstream organization, for example Google, they would just fix the vulnerability. But if you were to report an issue in the payment industry it gets a very different response. Such as denial, ‘no we’re not going to do that’, or don’t see an issue yet, so why should we fix it?”
“Which is completely strange because, in 2019, you have many bug bounty programs and these mean (even if researchers don’t always get compensated) that vendors will probably fix problems.
“Visa’s stance is ‘we’re not going to fix this’.”
Convenience adds security risk
Contactless payment systems involve using credit cards and debit cards, smartphones and other devices that incorporate radio-frequency identification (RFID) or near field communication to make secure payments.
The embedded integrated circuit chip and antenna enable consumers to wave their card or smartphone over a reader at the point of sale terminal in order to make a payment.
Merchants like contactless because transactions because they can be completed quickly. Because no signature or PIN verification is typically required, contactless purchases are typically limited to small value sales.
“As long as fraud is covered by our insurance or doesn’t exceed expectations, we are fine” payment providers maintain, according to Yunusov.
The spokesperson from Visa told The Daily Swig that the company took all security threats to its payment systems seriously and that research to improve its defenses was always welcomed.
“Variations of staged fraud schemes have been studied for nearly 10 years – in that time there have been no reports of such fraud,” the spokesperson said.
“Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world.
“Visa’s multi-layered security approach has resulted in fraud remaining stable near historically low rates of less than one-tenth of 1%.”
Galloway concluded: “Contactless payments were introduced to make paying for things easier so people would spend more, but the technology has a number of security issues, potentially more than using chip and PIN” to authorize transactions.
Further details related to the researchers' findings are now available on Galloway’s website.
YOU MIGHT ALSO LIKE Cayman National Bank confirms data breach impacted Isle of Man subsidiaries