Skip to main content

Welcome to our new website!

Throughout our careers, we’ve met with great gaps in information. None more so than in payment security. Each and every one of us interacts with payment technology every day. Yet most of us, haven’t a clue how they work. We have grand hopes for this to be a source of knowledge on payment security. For anyone just a little bit interested in learning more about payments. In addition to this website you can find us on twitter Leigh-Anne Galloway (@L_AGalloway) and Tim Yunusov (@a66ot). We’ll be updating this website regularly, and Leigh-Anne has plans for a book.

Visa Vulnerability

Last week Forbes published a feature on the vulnerability we discovered in Visa cards. If you haven’t read it, head over to Forbes. Tom Brewster put together an amazing video describing how the vulnerability can be exploited.
We found a way to circumvent the limits imposed on contactless (NFC enabled) Visa cards. With this vulnerability, we can make large fraudulent payments just by reading a card! Equally this attack can be used on a physically stolen card. This vulnerability is present because some key information is not included in the transaction cryptogram. We exploit this by modifying information between the card and the terminal. And It only requires two bits to be changed. 

Contactless Limits

In the UK the contactless limit is £30 for a payment made using a physical card, and up to £5,500 for mobile wallets. In the US this amount is $50 for physical cards and up to $10,000 for mobile wallets such as GPay and ApplePay, depending on the merchant and acquiring bank settings. During the initial rollout, ApplePay pushed for no limits, but we know that issuing and acquiring banks have implemented thresholds. Sorry, Apple!
Contactless cards don’t require any kind of cardholder verification (such as PIN or signature) for values under specified amounts. These limits are a key protection mechanism which threshold the amount of money that can be stolen from a card. And boy does a lot of money get stolen! Recent statistics from FraudAction show that the amount of fraud on contactless in the UK has doubled over the last ten months. With average losses of £650.

We don’t have statistics for the US yet, because rollout of contactless is just beginning.
And so too, the fraud!

“We’ve accepted the risk”

Visa's response was to hold steadfast.
They concluded, “One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer” We’d like to point out that this is incorrect. This attack can be used on any card in proximity to the attacker, it only requires a few seconds. This would work in a bar or by tailgating someone through a barrier.
On the 22nd of July, Visa announced that fraud rates for contactless are at an all-time low!
Throughout our disclosure process, we have been transparent about the date of publishing our findings. We find this convenient on their part. We did contact Visa directly to refute both of the claims but were told: “our previous comments still stand”.


Even though Leigh-Anne had drafted a whitepaper back in March of this year. What you’ll notice in the article is that we haven’t included the specific technical details for other people to recreate this attack vector and exploit the vulnerability. As you’ll recall Visa has no plans to close this vulnerability. Visa’s refusal to resolve the issue is a big driver for us to hold out on publishing a whitepaper. Instead, we decided to provide issuing banks a window of opportunity to reach out to us as there are ways for this to be mitigated by the issuer.

Final thoughts

We are utterly disappointed in Visa’s response, both to shift all responsibility to the banks to stop and detect fraud and security issues, and their refusal to fix the problem. We can’t say we are surprised. Visa sits at the top of the “payment pyramid scheme”, and is responsible for regulating other members. Which begs the question, who regulates the regulators?


Popular posts from this blog

We are happy to announce that Ingenico has fixed vulnerabilities, discovered by our team.Ingenico (Telium2 OS):CVE-2018-17767 - Hardcoded PPP credentials. CVSS v3.1 Base Score: 5.1, Vector AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LCVE-2018-17771 - Hardcoded FTP credentials. CVSS v3.1 Base Score: 4.9, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:LCVE-2018-17774 - Insecure NTPT3 protocol. CVSS v3.1 Base Score: 4.9, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:LCVE-2018-17768 - Insecure TRACE protocol. CVSS v3.1 Base Score: 5.1, Vector AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LCVE-2018-17765 - Undeclared TRACE protocol commands. CVSS v3.1 Base Score: 3.8, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NCVE-2018-17766 - NTPT3 protocol - file reading restrictions bypass. CVSS v3.1 Base Score: 2.4, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NCVE-2018-17769 - Buffer overflow via the 0x26 command of the NTPT3 protocol. CVSS v3.1 Base Score: 4.9, Vector AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:LCVE-2018-17770 - Buffer overflow v…