Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Almighty Buck

Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card 126

New submitter biomass writes with news about a flaw in Visa's contactless card that lets anyone charge $999,999 to it. According to researchers at Newcastle University in the UK, the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99. "With just a mobile phone we created a POS terminal that could read a card through a wallet," Martin Emms, lead researcher of the project that uncovered the flaw, noted in a statement about the findings. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."
This discussion has been archived. No new comments can be posted.

Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

Comments Filter:
  • by Webmoth ( 75878 ) on Monday November 03, 2014 @07:15PM (#48305599) Homepage

    At least the way I read the article, the flaw allows a charge of 999,999.99 in ANY unit of currency, not specifically US dollars, or UK pounds, or Euros, or Dinars, or Rubles, or whatever.

    • I thought maybe the reader can tell the card give me 10^6 Zimbabwe dollars, and then tells the back end card has agreed to 10^6 UK pounds.

    • by Qzukk ( 229616 )

      Without reading TFA, "fails to recognize transactions made in non-UK foreign currencies" sounds more like "ANY unit of currency except Pounds Sterling, which was used in development and testing".

  • I'll be interested once they get the stealable amount up to something more than chump change.
    • Don't have to. Bump into a person every few minutes in a crowded subway area, and get $20 out of any of them that have a card that happen to be close enough to the "bump".IF you do this every two minutes, and only 1 out of 5 person get you a result, a 7-hour day of work will yield 42 card details, or $840 of "chump change".

      Now, think about this: this contactless payment system is not going away soon (I'm not even talking about the "vulnerabilities" exposed there). If you manage to get a channel for all thes

      • by stiggle ( 649614 )

        Don't even need to bump into people - Scanning terminal with a range of a few feet and just stand in a crowd with it in your backpack.
        Do this at say a theme park or a major tourist destination with a high turnover of passing people (eg. Tower Hill tube station in London, Champ de Mars metro station in Paris) through a narrow choke point where your scanner can pick up everyone passing and you can yield a much higher number of cards.

  • ...and unlocked for this to work?
  • (puts pinkie to corner of mouth)... "999,999 Zimbabwean Dollars!" [wikipedia.org] (cronies laugh uproariously in background)
  • a card without the NFC chip, then any transaction needs to be verified by PIN and physically placed into the POS card reader. The idea that these NFC cards are faster somehow is a fallacy. You still have to take the individual card out of your wallet, as inevitably you will end up with more than one card with NFC capabilities. Either the wrong card will be billed or the transaction will fail. At this point you might as well stick it in the reader and put in the PIN anyway.

    I got used to bumping my wallet
    • Pins can be read from the POS keypad [softpedia.com] with rather low tech, minimal effort, particularly the ones using metallic keys.
      • Pins can be read from the POS keypad

        That lets you use the card, but not clone it: you still need to have the chip which contains the secret key the PIN unlocks

    • by green1 ( 322787 )

      Depends on your bank. I have credit cards with 2 different banks. At first both of them flat out refused to send me cards without NFC, and as the NFC chip is integrated in to the chip-and-pin setup you can't simply destroy the chip as many Americans can (swipe isn't the usual way of paying around here)

      More recently though one of the banks has wisened up and has sent me a non-NFC card, the other one is still NFC enabled.

      That said, I have modified my NFC card to significantly reduce it's effectiveness, I scor

      • As for people suggesting Faraday cage wallets and such, I'm unconvinced. A proper Faraday cage has to have no gaps, and most of these are not that tightly constructed. I would not be at all surprised if many of them provide only a feeling of security rather than actual security.

        Don't know about "faraday cage" wallets, but I carry most of my cards in a simple metallic case that loosely close (it's not airtight or anything). It is enough for my phone to not pick up the card inside when I put them together, so I suppose it would be a severe hindrance to people trying to read an NFC card with a quick bump.

        Still, some tweaked hardware to boost the signal on the receiver side might get through. Hmm I need to run some more tests...

        • by Minupla ( 62455 )

          proper Faraday cage has to have no gaps,

          Acutally not quite accurate - a faraday cage that blocks at all wavelengths would need to have a very small mesh. Rule of thumb is you want your mesh to be less then 1/4(c/freq) m.

          Since freq in the case of NFC is 13.56 MHz, that will yield us with 22/4=5.5 meters (excuse the rounding, you get the point) so anything you can wrap around your wallet is going to do the trick.

          Google NFC blocking wallets for some selections.

          Source: I attend hacker conferences. All my credit cards are NFC enabled. I don't want

    • "The idea that these NFC cards are faster somehow is a fallacy" this PROVES that it's faster! Faster at allowing thieves to rob you that is. Imagine, stress-less muggings...
  • Where's my Tin Foil wallet when I need it!
  • I'm not sure why this is news... if you swipe the mag stripe at an untrustworthy place, they can charge up to $999,999.99 too.... the system limit for a Visa/Mastercard transaction. What they're saying is a RFID chip gets to close to an scamming receiver they create a charge. Thing is, if a charge that big hits your account, your cell phone can scream "BIG TRANSACTION DETECTED!" and then you can have the charge reversed. Remember, we live in the era of "$0 liability"... as long as you can tell them it's wro

    • As someone who has personally dealt with this issue, let me provide some insight. Every time you say "this isn't me!" they will cancel your card and issue you a new one. Now you have to wait a week or so for your new card, update every place where you use that number, hope they don't charge during that time, activate the new card, etc. It's a hassle. Now imagine a future where these scammers are all over the place.
  • Even without this flaw, you could still steal up to a certain amount. The flaw just let's you bypass the limit (20 pounds in the UK).

    This is an argument against allowing transactions without pins. Yes, it's convenient yo wave your card at something and not have to put in a pin; but it's also dangerous.

    Better: I like the active "I won't share my information unless a code is manually entered on me" method of some speculative card systems and of a (configured to require a pin) google wallet.

  • I''m a millionaire, Mom I did it!

  • "you can bump your mobile against someone's pocket "

    This is a feature I won't enable on my Samsung S5 (piss poor phone), it just doesn't sound secure.

    Even Bluetooth has the same flaw it had when it first came out. The trick was pulled on me recently so know it's an apparent feature. They even added a contact to my phone via Bluetooth.

    One can sit in a mall and collect others contacts (for one) just by having Bluetooth on and passing a "collector", I've disabled Bluetooth again.
    Just like the first days of Blu

    • Nope. You can turn of BT. You can't turn off the NFC. You can only block it with a RFID blocking wallet, tin foil or something like it.

      Disabling it on your phone changes nothing in the communication between your card and the thief's phone.

      • by jabuzz ( 182671 )

        I appear to be able to turn it off on my Z1 Compact. However you are correct that it will make no difference to having stuff stolen from a card in your wallet.

  • why not use on of these [ebay.co.uk] cheap [ebay.co.uk] and simple [ebay.co.uk] solutions?????
  • From the article:
    > "EMV cards don’t have to make contact with a reader to be used."

    This is misleading. SOME EMV cards are contactless, but most normal (European) cards require a contact terminal and cannot be read / billed remotely.

    The author somehow blames EMV itself on the vulnerability. EMV is a complex beast and there are many ways to get it wrong, but this here is something different.
  • The poster obviously doesn't understand how credit cards word. Sure, we can do an offline transaction for whatever value we want, provided the merchant doesn't fall into any of the various restricted merchant category codes, like gambling companies and so forth. Even then, you've got an offline authorisation for almost a million dollars... you think you've stolen a million dollars? Nope! Firstly the point of sale system must upload a file containing the authorisations it's performed. The bank takes this, a
  • And what about UK foreign currencies?

The rich get rich, and the poor get poorer. The haves get more, the have-nots die.