Contactless Visa credit cards contain a flaw allowing for huge foreign cash transactions without the need for a PIN, according to researchers at Newcastle University.
Using a mobile phone point-of-sales (PoS) terminal, the team claimed they were able to process transactions just shy of one million in any foreign currency, flouting the £20 limit for near field communication (NFC) payments.
Martin Emms, the lead researcher on the project, said: "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions.
"By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction."
He added that banks would have security systems in place to prevent fraud in the back end of the system, but claimed it was unclear how they would deal with the vulnerability his team had discovered.
"All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate," he said.
Emms’ team will present their findings at the Conference on Computer and Communications Security in Arizona this week, and are due to publish a paper on the subject.
Update:
A spokesman from Visa said: "We have reviewed Newcastle’s findings as part of our continued focus on security and beating payments fraud. The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world.
"For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment."
