Visa Europe may find itself in a damage control mode after researchers say they found a flaw in the brand's contactless cards, but the organization is expressing confidence in its security.
Researchers at Newcastle University in the U.K. say a glitch in the Visa system would allow a fraudster to sidestep the restrictions on contactless cards. Newcastle determined a fraudster could initiate transactions of up to 999,999.99 units of a foreign currency and do so without a PIN without triggering Visa's block on contactless payments exceeding 20 pounds.
The researchers revealed their findings at a data security conference this week in Arizona. Visa, which reviewed Newcastle's results, says that this tactic alone is not enough to compromise Visa accounts.
"We do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment," Visa Europe said in a prepared statement. In a live transaction, other anti-fraud systems would block the transaction, it said.
The card brand spends 100 million euros a year to beat fraud in Europe and will continue to add safeguards to its payment system, Visa said. Those safeguards have helped fraud rates stand at less than five pounds in every 100 pounds in the U.K., Visa added.
Newcastle acknowledges that its research did not test the back end of the payment system, where banks have a number of extra security measures in place.
Still, Visa should be concerned about what the Newcastle research reveals about where fraud will go in the future, said Avivah Litan, a vice president and distinguished analyst at Gartner Inc., a Stamford, Conn.-based market research company.
"It's a very serious flaw and I think it just shows how there are a lot of new scams that are probably going to appear once we move more to mobile and contactless payments," Litan said. "Certainly, there are always attack vectors that can be exploited, and we have just begun to see them."
Newcastle reported that a fraudster using a mobile phone could sidestep the 20-pound limit on the contactless card and initiate an offline transaction, which avoids additional security checks from the banks, while the card was still in the consumer's pocket or purse.
The current system calls for the credit card to authenticate itself, but there is no requirement for the point of sale terminal to do the same, or in this case a fraudster's phone acting as a POS terminal, researchers said.