In the UK, regulations prevent people from spending more than £30 per transaction when using a contactless credit card. This is ostensibly a security mechanism.
However, as white hat security researchers recently concluded, surpassing the £30 limit on contactless credit cards is surprisingly easy.
Hackers can override the security systems on the card by conducting a Man-in-the-Middle (MITM) attack. To do this, hackers set up a device that intercepts the wireless connection between a card and a payment terminal.
“…the [£30] limits could be bypassed 100% of the time,” reports InfoSecurity Magazine, meaning that a hacker could deplete a checking account, or a lifetime’s worth of savings in minutes.
Researchers discovered that a similar MITM attack configuration could also nudge hackers towards pinching mobile wallets, and potentially charging small amounts to cards without unlocking the phone at all.
In the case of contactless theft, bad actors need not actually steal the physical card. Getting close enough to a person’s card at the check-out counter will do the trick. A proxy device on a hacker’s person can read the card from a few steps away. Security researchers recommend that contactless card owners work with their banks to initiate text message alerts, and payment limits.
“While it’s a relatively new type of fraud and may not be the number-one priority for banks at the moment, if contactless verification limits can easily be bypassed, it means that we could see more damaging losses for banks and their customers,” says a banking security expert.
In 2018, the UK saw £8.4 million fraudulently siphoned out of bank accounts via contactless theft, including one loss amounting to £400,000. Nonetheless, the amount lost in 2018 represents an improvement over 2016’s £14 million figure.
To put these numbers into perspective, contactless card fraud accounts for roughly 3% of all fraud across the UK.
A professional body that represents finance, banking and payment oriented enterprises, known as UK Finance, asserts that consumers need not exhibit grave concern over contactless theft. With a continued vote of confidence in the cards, UK Finance anticipates that 36% of all credit card transactions in the UK will be contactless by 2027.
For additional analysis on the security threats presented by contactless cards, please visit InfoSecurity Magazine.