Throughout our careers, we’ve met with great gaps in information. None more so than in payment security. Each and every one of us interacts with payment technology every day. Yet most of us, haven’t a clue how they work. We have grand hopes for this to be a source of knowledge on payment security. For anyone just a little bit interested in learning more about payments. In addition to this website you can find us on twitter Leigh-Anne Galloway (@L_AGalloway) and Tim Yunusov (@a66ot). We’ll be updating this website regularly, and Leigh-Anne has plans for a book.
Last week Forbes published a feature on the vulnerability we discovered in Visa cards. If you haven’t read it, head over to Forbes. Tom Brewster put together an amazing video describing how the vulnerability can be exploited.
We found a way to circumvent the limits imposed on contactless (NFC enabled) Visa cards. With this vulnerability, we can make large fraudulent payments just by reading a card! Equally this attack can be used on a physically stolen card. This vulnerability is present because some key information is not included in the transaction cryptogram. We exploit this by modifying information between the card and the terminal. And It only requires two bits to be changed.
In the UK the contactless limit is £30 for a payment made using a physical card, and up to £5,500 for mobile wallets. In the US this amount is $50 for physical cards and up to $10,000 for mobile wallets such as GPay and ApplePay, depending on the merchant and acquiring bank settings. During the initial rollout, ApplePay pushed for no limits, but we know that issuing and acquiring banks have implemented thresholds. Sorry, Apple!
Contactless cards don’t require any kind of cardholder verification (such as PIN or signature) for values under specified amounts. These limits are a key protection mechanism which threshold the amount of money that can be stolen from a card. And boy does a lot of money get stolen! Recent statistics from FraudAction show that the amount of fraud on contactless in the UK has doubled over the last ten months. With average losses of £650.
“We’ve accepted the risk”
Visa's response was to hold steadfast.
On the 22nd of July, Visa announced that fraud rates for contactless are at an all-time low!
Throughout our disclosure process, we have been transparent about the date of publishing our findings. We find this convenient on their part. We did contact Visa directly to refute both of the claims but were told: “our previous comments still stand”.
Even though Leigh-Anne had drafted a whitepaper back in March of this year. What you’ll notice in the article is that we haven’t included the specific technical details for other people to recreate this attack vector and exploit the vulnerability. As you’ll recall Visa has no plans to close this vulnerability. Visa’s refusal to resolve the issue is a big driver for us to hold out on publishing a whitepaper. Instead, we decided to provide issuing banks a window of opportunity to reach out to us as there are ways for this to be mitigated by the issuer.
We are utterly disappointed in Visa’s response, both to shift all responsibility to the banks to stop and detect fraud and security issues, and their refusal to fix the problem. We can’t say we are surprised. Visa sits at the top of the “payment pyramid scheme”, and is responsible for regulating other members. Which begs the question, who regulates the regulators?