If you have a Visa card and you lose it, block it immediately. A hacker who gets his hands on it could, in effect, use it to make NFC payments for an arbitrary amount and without any authentication. In short, he would be able to empty your account in two steps, three movements. Security researchers at the Swiss Federal Institute of Technology Zurich (ETH Zurich) have just revealed the existence of a flaw in the contactless payment process for Visa bank cards.
But before we get into the details, you should know that there are actually two limits for NFC payments. The first is low, generally 30 euros, and corresponds to NFC payment without authentication, which is the case when using the physical card on the terminal of a store, for example. The second limit is much higher, several thousand euros, and corresponds to NFC payment with authentication. This is the case when paying with a smartphone through facial recognition or fingerprint reading, through Apple Pay or Google Pay for example.
The researchers found that it was possible to modify some transaction data of the payment protocol and thus bypass this first cap. In other words, they manage to make unauthenticated payments with a Visa card, while making the payment terminal believe that the authentication was performed on a smartphone. This attack requires two smartphones, one that will simulate a payment terminal with the stolen card, and the other that will simulate a payment card with the real payment terminal. The researchers made a demonstration video to prove the feasibility of this hack.
The good news is that it is possible to close this loophole with a software update on payment terminals, and without the need to replace all Visa cards. But this update may take a little while.
Other researchers had already found a similar flaw in December 2019, but it was not as systematic. The attack only worked on certain Visa cards. Note, finally, that Mastercard cards are not at all affected by this problem. The researchers’ analysis shows that “Mastercard’s contactless payment protocol protects all high-value transactions”. In short, if you’re the anxious type, swap your Visa card for a Mastercard.
Source : ETH Zurich