A glitch in the new contactless bank cards means that it is possible to approve unlimited cash transactions without the use of a PIN - as long as the amount is in a foreign currency, scientists have said.
The flaw could allow fraudsters to extract cash transactions from unwitting victims of up to 999,999.99 in any foreign currency using a mobile phone that has been set up to act as a contactless point-of-sale terminal, researchers at Newcastle University have claimed.
Contactless transactions – when the card is simply tapped onto a reading device at a terminal – are supposed to be limited to a maximum of £20 to limit possible fraud. However, the Newcastle scientists believe this limit can be easily breached so long as it is in a foreign currency.
“With just a mobile phone we created a POS terminal that could read a card through a wallet. All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions,” said Martin Emms, the lead researcher on the project at Newcastle.
“By presetting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction. In our tests, it took less than a second for the transaction to be approved,” Dr Emms said.
However, the credit card company Visa said it had reviewed the Newcastle findings, and found they did not take into account “multiple safeguards put into place throughout the Visa system”.
It added: “For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.”Reuse content