Researchers at Newcastle University discovered that at least the system in the UK does not recognize charges in foreign currencies. Because of this someone could potentially trick the system into approving a transaction using one of these. The transactions could be as large as 999,999.99 of what every currency the attacker chooses. That is a lot of money no matter what currency you chose and it represents a massive flaw in the system.
But wait there’s more! That’s right, there is more to this flaw. As we move into the world of no-swiping more and more cards will be contactless and only require proximity to a reader to be compromised. This means that an attacker can pull this off with a bump reader that could be run from a phone. Typically the system does require a PIN for larger transactions, but due to the flaw there is no PIN requirement for contactless charges in any of the non-recognized currencies. In crowded places like an airport, bus or train terminal this is going to be a very simple tactic. Choosing an airport would also potentially mask the foreign currency transaction. The same can be said for hotel lobbies and any tourist location. The Newcastle University team also noted that they could not see anything in the protocol that showed how banks would deal with this. This more than likely means that there is nothing currently in place to deal with this type of skimming operation.
The flaw exists because the technology does not perform checks after the fact on all transactions. All of the security is based on the card and exists in the microchip embedded in it. This means that the reader can act like a POS station and simply relay a preset transaction that is executed by a bump on the authentic card. Granted there is not really much security when using the traditional credit card other than the signature capture. Sadly this is no security at all as I have tested this method by signing Ted Nugent and other fun names without even a peep from the credit card company.
The system is in wide use in the UK and Europe and is moving into the US rapidly with Visa imposing an October 1, 2015 deadline for retailers to have this in place. Although the flaw has only been tested in the UK we would not be surprised to find that it exists globally to some extent. This means that retail companies are rushing to deploy a system that is open to a massive and simple attack that can skim millions from consumers and retail outlets that believe they are getting a much more secure system. Sounds kind of messed up doesn’t it?
Tell us what you think in our Forum