EU-recommended ‘cumulative limit’ controls outfoxed by Jedi mind tricks

Security controls designed to limit retailers’ exposure to fraud from contactless payments can be bypassed, security researchers have warned.

Contactless – or near-field communication (NFC) – payments offer greater convenience and ease of use than earlier chip-and-PIN verification methods.

Last year, nearly 48% of in-person Visa transactions were contactless, a figure that is more than likely to rise as an indirect result of the coronavirus pandemic.

Banks and credit card issuers have claimed contactless is just as secure as earlier card payment methods.
However, research by Leigh-Anne Galloway, head of commercial research at Cyber R&D Lab, and Tim Yunusov, head of offensive security research at Cyber R&D Lab and parent company Positive Technologies, has raised doubts about such assertions.

Tap-and-go fraud

Last year, the payment security research duo showed how to bypass the UK's then £30 ($39) limit for contactless payments made using physical cards, among other hacks.

In follow-up research presented at Black Hat Asia last week, Galloway and Yunusov showed how it was possible to bypass multi-factor authentication controls designed to guard against tap-and-go fraud with contactless credit and debit cards.

The researchers devised various hacks to get around the cumulative limits – the maximum amount of money that a cardholder can spend using contactless payments before being forced to use the fallback chip-and-PIN method.

INSIGHT Black Hat Asia: Need for global security perspectives underlined at virtual event

The current agreement across EU/UK banks is to allow five transactions, in line with the Payment Service Directive v2.0 (PSD2), regulations adopted by the European Union in January 2018.

This means consumers are required to enter their PIN when they make more than five consecutive contactless transactions, each of which can be no more than £45 (the current UK limit).

Galloway and Yunusov founds ways to bypass mandated multi-factor authentication checks for both MasterCard and Visa cards.

Threat models

In tests, the researchers took six payment cards (two Visa and four MasterCard) from five banks that used Strong Customer Authentication (SCA) for their cards.

The goal of the test was to use a “stolen, unblocked card” to make more than five payments for a total exceeding £225 ($290).

Two threat models were considered. In one scenario, attackers have their own point-of-sale (POS) terminal, which they are able to configure. In another, attacks are run against unattended terminals, such as self-service kiosks in fast food chain restaurants or petrol stations.

Read more of the latest retail security news

The researchers used a POS terminal with a known remote code execution (RCE) vulnerability, giving them the ability to intercept data and monitor risk management fields.

This, in turn, allowed them to run a multi-stage attack that ultimately made it possible to reset the count of the number of contactless transactions that had been carried out on a MasterCard card by sending back a falsified “PIN [entered] OK” response from the attacker-controlled terminal.

Demonstrated attacks on Visa cards also take four steps. An attacker with a stolen card who does not know the PIN can use a so-called ‘wedge device’ as part of a manipulator-in-the-middle attack and any unattended payment terminal.

Variants of these attacks were also demonstrated and described in a recent white paper (PDF) by Yunusov.


Galloway and Yunusov argue that, even though the controls limiting contactless payments have shortcomings, they are not without utility.

“Adopting PSD2 and SCA measures significantly decrease opportunities of fraud, and yet, there are still ways for malicious actors to commit fraud,” they conclude.

“Banks and financial institutions need to take proactive measures in addition to those required by regulations to reduce possible fraud surface and increase entry barriers for high-profile fraud.”

Potential mitigations against attack might involve making “an offline PIN correctly verified on the card, or an online PIN correctly verified on the HSM [hardware security module]” as the “only reason for resetting cumulative limits”, among other methods, the researchers suggest.

Fraud watch

Contactless fraud reached £1.18 million ($1.5 million) in the UK alone in 2018, up from £711,000 ($920,000) a year earlier, according to press reports cited by the researchers.

Asked whether contactless card and mobile payment security was getting worse or improving from his perspective, Yunusov told The Daily Swig: “The more you see, the worse it looks.”

“The last UK Finance stats shows that lost and stolen fraud numbers almost haven’t changed between 2018 and 2019,” Yunusov said. “And attacks we’re talking about basically are related to lost and stolen cards.”

Galloway added that contactless technology was developed to offer consumers a “faster way to pay” and a better user experience, but this ought not to happen to the detriment of security.

In a statement to The Daily Swig, a Mastercard spokesperson said that contactless fraud was already low, and had been steadily decreasing over time:

Not all contactless transactions are equal: Mastercard’s unique technology and multi-layered approach to security go above and beyond by using technology such as Combined Data Authentication (CDA) to protect cardholders. For the first six months of 2020, contactless card fraud in the UK fell by 20 per cent to £8.2 million, the first year-on-year decrease since this data started being collected in 2013. The value of contactless spending for H1 2020 was £41 billion.

Yunusov responded: “In absolute number, I doubt that contactless fraud is reducing – it’s either slowly rising or stable.”

The researcher did, however, praise MasterCard’s use of CDA – an offline data authentication scheme that protects some risk management fields passed from the card such as CVM [Cardholder Verification Methods] List. This is implemented to tackle the offline PIN (‘PIN OK’) attack.

Visa, which said it wasn’t familiar with Galloway and Yunusov’s latest research, echoed Mastercard in stating that contactless is secure and subject to only low levels of fraud:

Visa takes all security threats to payments seriously, and we appreciate industry and academic efforts to harden payment security. Consumers should continue to use their Visa cards with confidence. Variations of staged fraud schemes have been studied for nearly 10 years. In that time there have been no reports of such fraud. Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world. Visa’s multi-layered security approach has resulted in fraud remaining stable near historically low rates of less than one-tenth of one percent. Contactless cards are very secure. Using the same secure technology as EMV Chip, contactless cards are extremely effective in preventing counterfeit fraud by using a one-time use code that prevents compromised data from being re-used for fraud.

Related recent research from Galloway shows how card data from EMV chip and contactless interfaces can be intercepted and used to create a new magstripe card.

“This is possible because of commonalities between magstripe, a fifty-year-old technology, and EMV standards for chip inserted and contactless transactions,” she explains in a white paper.

READ MORE Hack that lifts limits on contactless card payments debuts at Black Hat‪ Europe 2019