The Great $999,999.99 Theft
In today’s world of wireless technology, paying directly from your iPhone, Android, iPad, Windows Mobile device, etc. is the up and coming trend. Of course, we all have also heard of ApplePay, one of the newest ways to pay for products and services.
This method of payment is also called a ‘Contactless Transaction’, or a ‘Contactless Payment’, because you are using your wireless device to interface directly with a Point of Sale terminal, from just a very short distance.
The credit card companies are now coming out with their own methods of contactless payments as well, and the latest one to do so is Visa. Their method of making cashless payments is called the ‘Visa payWave.’
This type of payment is used primarily by high volume merchants, whose customers are always on the go. Typical merchants that use this contactless payment infrastructure include McDonald’s, Starbucks, the Transport for London, etc.
How the ‘Visa payWave’ Works
At the present time, the ‘Visa payWave’ infrastructure is being used primarily in the United Kingdom. In fact, over 11,000,000 contactless payments are made each month by customers. Here is how this type of payment technology works:
1) Any VISA credit card with the ‘payWave’ feature is already outfitted with an embedded microchip and miniature antenna, in order to communicate with the contactless reader at the Point of Sale (POS) terminal. The network protocol utilized here is known as ‘Near Field Communications’, or ‘NFC’ for short. If your Visa credit card can be used for this type of payment, the following symbol will appear on it:
2) Next, the merchant from whom you wish to buy a product from must also accept the ‘Visa payWave’ (they also need to have the NFC technology deployed as well, in particular, the NFC Reader, onto the POS Terminal). If they do, you the following symbol will appear at their POS terminal:
3) Finally, to make your payment, all you have to do is hold your Visa credit card close to the NFC Reader on the POS terminal, and seconds later, you will hear a beep. This is your notification that your transaction has been completed.
The Security Vulnerability Associated with ‘Visa payWave’
There is a spending limit associated with the ‘Visa payWave’, and that is 20 British Pounds for every transaction that is made. But, just recently, researchers at Newcastle University discovered a very serious security flaw with this method of payment.
That is, this current limit can literally be bypassed. For example, up to $999,999.99 in funds (or any other foreign currency other than the British Pound) can be covertly transferred from an individual’s ‘Visa payWave’ credit card.
In order to exploit this security vulnerability, the hacker first has to rig a Smartphone, so that it acts like a scanner (such as a POS terminal). Then, the Smartphone has to be passed over the wallet or the purse which contains the Visa credit card.
With this, the information and data that is transmitted by the antenna on the credit card can be captured, and used to hijack funds from an individual’s account. If the hacker is stealthy enough, this type of security breach can occur in just one second. It is unknown how Visa or the other banks accepting the ‘payWave’ credit card would react to a large volume of foreign currency transfers.
The researchers did not go to this extreme in testing the new found security vulnerability. They merely wanted to demonstrate that it does exist, and if it were such a breach were to occur in a real world scenario, it could prove to be very lucrative one for the hacker.
It was also stated that large venues such as Heathrow Airport or the London Underground would be perfect places in which to launch this type of attack, as foreign currencies are accepted on a daily basis.
In response to these findings, Visa Europe also announced that they are taking further initiatives to add more authentication protocols to contactless payment transactions.
Albert E. Whale is the President and Chief Security Officer for IT Security, Inc, a security consulting company focused on the Security of the Applications, Cloud, Internet & Network based resources. IT Security, Inc. works with organizations to assess and resolve issues with their enterprises, focusing on getting security done right.
View my LinkedIn Profile or contact IT Security, Inc. directly at 412-515-3010 or http://www.IT-Security-inc.com.
