Flaw in Visa contactless payments could steal thousands of dollars

Swiss researchers have uncovered a vulnerability in the payment system for Visa bank cards, which would allow the payment limit of 50 euros to be exceeded without a code.

Due to the Covid-19 epidemic, contactless payment by bank card is enjoying growing success. However, Swiss researchers have discovered a way to bypass the security measures in place.

In France, you can pay without contact with a bank card, without a secret code, up to 50 euros. This limitation was set to limit the risk of fraud. However, these Swiss researchers, from the Swiss Federal Institute of Technology in Zurich, have shown that it is possible to deceive payment terminals and spend much greater amounts with a bank card, without using a code.

Two smartphones and an app

If contactless payments are limited to 50 euros with a card, on the other hand, there is no limitation when paying with a smartphone or a connected watch. In fact, security is guaranteed by authentication at the telephone level (secret code, fingerprint, facial recognition).

To carry out their little “scam”, for educational purposes, the researchers used two smartphones and an application developed especially for Android. The process involves placing a first smartphone in contact with a bank card that could be stolen (for example, in a pocket) and, on the other hand, they use the second smartphone to pay on a payment terminal (for example at a seller). The two telephones communicate with each other and the bank card is debited by breaking the security of the card, which makes it possible to potentially spend several thousand euros, without a secret code (process explained here).

Visa warns you

This is therefore a weakness in the Visa payment protocol. But, do not panic, it is unlikely that this really threatens the finances of the French, given the relative technical complexity of the process. Swiss researchers claim to have informed the Visa-Mastercad consortium. An update should be rolled out to payment terminals, although this may take time.

Note that, according to these researchers, Mastercard payment cards are not affected by this problem. All this argues, ultimately, in favor of contactless payment by mobile phone, which is more secure than by credit card.

Các tin khác