CarderPlanet
Professional
In real life, the vulnerability discovered is not dangerous, since fraudsters rarely have someone else's cards in their hands, says Visa.
Cybersecurity experts from Positive Technologies have discovered a vulnerability, the exploitation of which allows cybercriminals to bypass the restriction on the withdrawal of large amounts of contactless amounts from Visa cards.
Usually, contactless cards do not allow you to make large payments without a PIN. For example, UK users are required to enter a PIN for purchases of £ 30 or more. If the criminals steal the card and try to carry out several transactions for large amounts, the bank will block the card.
According to experts from Positive Technologies, there are two ways to get around this limitation. In the first case, they used a device to intercept and replace messages in the communication channel between the card and the reader. With its help, a false signal was sent to the card about the withdrawal of an amount less than £ 30, and to the terminal - a message about verification carried out in another way. This vulnerability affects only Visa cards, since in other payment systems large transactions are confirmed only by a PIN code.
In the second option, the researchers used two mobile phones. One phone collected a so-called payment cryptogram from a card, guaranteeing the authenticity of future transactions. The second one took the cryptogram and imitated the card.
Visa has no plans to take action to suppress these types of fraud. According to the company, in order to carry out fraud, attackers need to have a card in their hands, and this rarely happens. However, researchers do not agree that the card must be swiped. As the results of the experiment showed, it is enough for an attacker to get close to the victim's card for a short time and count the payment.
Cybersecurity experts from Positive Technologies have discovered a vulnerability, the exploitation of which allows cybercriminals to bypass the restriction on the withdrawal of large amounts of contactless amounts from Visa cards.
Usually, contactless cards do not allow you to make large payments without a PIN. For example, UK users are required to enter a PIN for purchases of £ 30 or more. If the criminals steal the card and try to carry out several transactions for large amounts, the bank will block the card.
According to experts from Positive Technologies, there are two ways to get around this limitation. In the first case, they used a device to intercept and replace messages in the communication channel between the card and the reader. With its help, a false signal was sent to the card about the withdrawal of an amount less than £ 30, and to the terminal - a message about verification carried out in another way. This vulnerability affects only Visa cards, since in other payment systems large transactions are confirmed only by a PIN code.
In the second option, the researchers used two mobile phones. One phone collected a so-called payment cryptogram from a card, guaranteeing the authenticity of future transactions. The second one took the cryptogram and imitated the card.
Visa has no plans to take action to suppress these types of fraud. According to the company, in order to carry out fraud, attackers need to have a card in their hands, and this rarely happens. However, researchers do not agree that the card must be swiped. As the results of the experiment showed, it is enough for an attacker to get close to the victim's card for a short time and count the payment.
