Throughout our careers, we’ve met with great gaps in information. None more so than in payment security. Each and every one of us interacts with payment technology every day. Yet most of us, haven’t a clue how they work. We have grand hopes for this to be a source of knowledge on payment security. For anyone just a little bit interested in learning more about payments. In addition to this website you can find us on twitter Leigh-Anne Galloway (@L_AGalloway) and Tim Yunusov (@a66ot). We’ll be updating this website regularly, and Leigh-Anne has plans for a book.
Visa Vulnerability
Last week Forbes published a feature on the vulnerability we
discovered in Visa cards. If you haven’t read it, head over to Forbes. Tom
Brewster put together an amazing video describing how the vulnerability can be
exploited.
We found a way to circumvent the limits imposed on
contactless (NFC enabled) Visa cards. With this vulnerability, we can make large
fraudulent payments just by reading a card! Equally this attack can be used on
a physically stolen card. This vulnerability is present because some key
information is not included in the transaction cryptogram. We exploit this by
modifying information between the card and the terminal. And It only requires
two bits to be changed.
Contactless Limits
In the UK the contactless limit is £30 for a payment made using a physical
card, and up to £5,500 for mobile wallets. In the US this amount is $50 for
physical cards and up to $10,000 for mobile wallets such as GPay and ApplePay, depending on the merchant and acquiring bank settings.
During the initial rollout, ApplePay pushed for no limits, but we know that
issuing and acquiring banks have implemented thresholds. Sorry, Apple!
Contactless cards don’t require any kind of cardholder
verification (such as PIN or signature) for values under specified amounts. These
limits are a key protection mechanism which threshold the amount of money that
can be stolen from a card. And boy does a lot of money get stolen! Recent
statistics from FraudAction show that the amount of fraud on contactless in the UK has doubled over the last ten months. With average losses of £650.
“We’ve accepted the risk”
Visa's response was to hold steadfast.
On the 22nd of July, Visa announced that fraud
rates for contactless are at an all-time low!
Throughout our disclosure process, we have been transparent
about the date of publishing our findings. We find this convenient on their
part. We did contact Visa directly to refute both of the claims but were told: “our previous comments still stand”.
Whitepaper?
Even though Leigh-Anne had drafted a whitepaper back in
March of this year. What you’ll notice in the article is that we haven’t
included the specific technical details for other people to recreate this
attack vector and exploit the vulnerability. As you’ll recall Visa has no plans
to close this vulnerability. Visa’s refusal to resolve the issue is a big
driver for us to hold out on publishing a whitepaper. Instead, we decided to
provide issuing banks a window of opportunity to reach out to us as there are
ways for this to be mitigated by the issuer.
Final thoughts
We are utterly disappointed in Visa’s response, both to
shift all responsibility to the banks to stop and detect fraud and security
issues, and their refusal to fix the problem. We can’t say we are surprised.
Visa sits at the top of the “payment pyramid scheme”, and is responsible for regulating other members. Which begs the question, who regulates the regulators?
Comments
Post a Comment