Hackers have found new ways to bypass the payment limits on Visa contactless cards. The attacks could steal unlimited sums from accounts, urging banks and customers to take precautions.Researchers Leigh-Anne Galloway and Timur Yunusov were able exploit the vulnerabilties to bypass verification limits on Visa contactless cards in tests at five major UK banks.
The researchers said the bypass works by manipulating two checks that are exchanged between the card and the terminal during a contactless payment.
The first is designed to block instant payments greater than £30 and the second is designed to require additional verification from the cardholder if the requested amount is above the threshold, such as entry of the card personal identification number PIN or fingerprint authentication on a mobile phone.
The researchers found that both of these checks can be bypassed using a device which intercepts communication between the card and the payment terminal. This device acts as a proxy in what is known as a man in the middle (MitM) attack.
“It falls to the customer and the bank to protect themselves,” said Leigh-Anne Galloway, head of cyber security resilience at Positive Technologies. “While some terminals have random checks, these have to be programmed by the merchant, so it is entirely down to their discretion. Because of this, we can expect to see contactless fraud continue to rise. Issuers need to be better at enforcing their own rules on contactless and increasing the industry standard. Criminals will always gravitate to the more convenient way to get money quickly, so we need to make it as difficult as possible to crack contactless,” she said.
This is a classic example of MitM Attack, in which the attacker alters the communication between two parties who believe they are directly communicating with each other. In this case, it is between the customer and the bank. Such MitM attacks could be avoided with a smart WAF solution. A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. WAF filters the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfiguration.
Logix since 1999, is a committed and acknowledged provider of managed services, solutions and products in the Cyber security space supporting Business enterprises across PAN India from Banks, Government entities to Financial Institutions. Among a bunch of Cyber Security product & services that Logix deploys & manages, one of them being Web Application Firewall (WAF).