Newcastle University researchers say a flaw in Visa's Europay-MasterCard-Visa (EMV)-based contactless payment card system could enable hackers with Android smartphones to approve unlimited cash transactions without a PIN when the amount is requested in a foreign currency.
The researchers say they have generated a proof-of-concept attack with a near-field communications-enabled Android smartphone, used in tandem with a rogue app that can masquerade as a point-of-sale (POS) terminal and deceive contactless cards into authorizing payments of less than $1.3 million. The hackers would then send those transactions to a rogue merchant account created in one of the dozens of EMV payment-accepting countries.
"With just a mobile phone, we created a POS terminal that could read a card through a wallet," says Newcastle's Martin Emms, the project's lead researcher.
He notes since all checks are performed on the card and not the terminal, there is nothing to provoke suspicions at the POS. "By presetting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction," Emms warns.
The research was presented this week at the 21st ACM Conference on Computer and Communications Security in Scottsdale, AZ.
From Newcastle University (United Kingdom)
View Full Article
Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA
No entries found