It is possible to bypass the contactless payment limit of a Visa card simply by using two smartphones. As a result, a hacker can make a large transaction without any authentication.
If you have a Visa card and lose it, block it immediately. A hacker who gets his hands on it could use it to make NFC payments for an arbitrary amount and without any authentication. In short, he would be able to empty your account in two or three steps. Security researchers at the Swiss Federal Institute of Technology Zurich (ETH Zurich) have just revealed a loophole in the contactless payment process for Visa bank cards.
But before going into details, it is important to know that there are actually two ceilings for NFC payments. The first is low, generally 30 euros, and corresponds to NFC payments without authentication, which is the case when using the physical card at a retail terminal, for example. The second ceiling is much higher, several thousand euros, and corresponds to NFC payments with authentication. This is the case when you pay with a smartphone through facial recognition or fingerprint reading, through Apple Pay or Google Pay for example.
The researchers found that it was possible to modify certain transaction data in the payment protocol and thus circumvent this first ceiling. In other words, they were able to make payments that were not authenticated with a Visa card, while making the payment terminal believe that the authentication was performed on a smartphone. This attack requires two smartphones, one that will simulate a payment terminal with the stolen card, and the other that will simulate a payment card with the real payment terminal. Researchers have produced a demonstration video to prove the feasibility of this hack.
The good news is that it is possible to close this loophole by updating the software on the payment terminals, without having to replace all Visa cards. However, this update may take some time.
Other researchers had already found a similar flaw in December 2019, but it was not as systematic. The attack only worked on certain Visa cards. Note, finally, that Mastercard cards are not affected by this problem at all. The researchers’ analysis shows that “Mastercard’s contactless payment protocol protects all high-value transactions”. In short, if you’re the anxious type, swap your Visa card for a Mastercard card.
Source: ETH Zurich