NEWCASTLE, England—A team of researchers at Newcastle University claims to have uncovered another security flaw in the EMV system.
Earlier this year, researchers at MWR Labs demonstrated that EMV POS terminals can be compromised, claiming a chink in chip card armor.
The Newcastle white paper, Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN, addresses what researchers claim is a flaw in Visa's EMV-based contactless payment card system in the United Kingdom, and that cyber-crooks could potentially use foreign currency transactions to commit fraud.
Researchers stated the attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder’s PIN when the transaction is carried out in a foreign currency.
The paper’s abstract explains, “. . . we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder's PIN, this side-steps the £20 contactless transaction limit in the UK.”
The white paper pointed out the attack differs from previously identified attacks on EMV cards, “in that it can be used to directly access money from EMV cards rather than to buy goods. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted.”
NEWCASTLE, England—A team of researchers at Newcastle University claims to have uncovered another security flaw in the EMV system.
Earlier this year, researchers at MWR Labs demonstrated that EMV POS terminals can be compromised, claiming a chink in chip card armor (http://www.cutoday.info/THE-feature/Can-EMV-Also-Be-Hacked).
The Newcastle white paper, Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN, addresses what researchers claim is a flaw in Visa's EMV-based contactless payment card system in the United Kingdom, and that cyber-crooks could potentially use foreign currency transactions to commit fraud.
Researchers stated the attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder’s PIN when the transaction is carried out in a foreign currency.
The paper’s abstract explains, “. . . we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder's PIN, this side-steps the £20 contactless transaction limit in the UK.”
The white paper pointed out the attack differs from previously identified attacks on EMV cards, “in that it can be used to directly access money from EMV cards rather than to buy goods. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted.”
Related links
President's Executive Order To Speed EMV