
Visa card vulnerability can bypass contactless limits - frozenice
https://www.ptsecurity.com/ww-en/about/news/visa-card-vulnerability-can-bypass-contactless-limits/
======
frozenice
> Positive Technologies found that both of these checks can be bypassed using
> a device which intercepts communication between the card and the payment
> terminal. This device acts as a proxy and is known to conduct man in the
> middle (MITM) attacks. First, the device tells the card that verification is
> not necessary, even though the amount is greater than £30. The device then
> tells the terminal that verification has already been made by another means.
> This attack is possible because Visa does not require issuers and acquirers
> to have checks in place that block payments without presenting the minimum
> verification.

That's the first time I hear about RFID/NFC MITM, neat.

~~~
tastroder
> That's the first time I hear about RFID/NFC MITM, neat.

That's been a thing for quite a few years now in the context of pentesting,
e.g. for badge cloning / proxying for access control systems, see for example
[1] for an overview presentation. There's quite a few BlackHat talks on that
space that give a good overview at this point. This attack is intruiging since
it circumvents more complex measures by manipulating the communication and
obviously has practical and direct impact on a monetary asset.

I've read elsewhere ([2], German) that Visa declines to fix this with the
explanation that it would require attackers to steal the card in the first
place and is technologically too complex to be seen in the real world, which
is kind of weird. The hardware required is pretty accessible at this point but
I guess their risk assessment determined that the actually occurring fraud
with this method is currently not worth fixing anything.

[1]
[https://www.bishopfox.com/files/slides/2016/InfoSec_World_20...](https://www.bishopfox.com/files/slides/2016/InfoSec_World_2016-RFIDiggity-
Brown-05Apr2016.pdf)

[2] [https://www.heise.de/security/meldung/Bezahlen-ohne-PIN-
und-...](https://www.heise.de/security/meldung/Bezahlen-ohne-PIN-und-
Unterschrift-Forscher-hacken-VISAs-50-Euro-Limit-4484956.html)

------
jaclaz
At the time those cards came out I was very skeptical about their safety (and
of course have been called paranoid/excessive/etc. by everyone).

After all I wasn't that much off, my theory was that anyone in a crowded
environment (bus, train, etc.) could get a "payment" by simply being "near"
the card (be it in a wallet , in your pocket or in a bag).

The objection was that there were much more sophisticated controls by Visa on
the "other side" (reputability of the account where the money would go, etc. )
and that the sheer number of micro-payments needed to make the theft
profitable (and thus the number of complains) would have easily triggered off
the various automated alarms.

But if someone can obtain a Visa/bank account and credit it with a small
number of (delinquent) transactions each of relatively high amount, get the
money and close the account in a short time it can probably become viable.

~~~
rasz
How would you credit your account with fraudulent transactions?

~~~
jaclaz
There is no fraudulent transaction, or - probably saying it better - any
transaction is not fraudulent until it is detected as such or reported as
such.

The whole point of the (rightful) "objection" I mentioned is that there are
mechanisms of alarm that would be triggered by - say - a new (delinquent)
account receiving one hundred 25 US$ (or Euros) transactions (and no other
transaction) in a small amount of time and then, a few hours or days later the
sum is transferred to another account and cashed or spent.

But if it is a couple transactions of 1,500 US$ each (or whatever sum that -
while being substantial - is below a given triggering alert level) would the
alarm be triggered?

Or will it be triggered only after - say - 2/3 of the credit is spent?

~~~
rasz
You have to be a merchant to receive any transactions.

~~~
jaclaz
Sure, as if fake merchant accounts are not possible:

[https://www.finextra.com/blogposting/14769/three-types-of-
me...](https://www.finextra.com/blogposting/14769/three-types-of-merchant-
fraud-a-guide-for-merchant-acquirers)

~~~
rasz
If you manage to get a merchant account (mule, homeless credentials) you dont
need additional technologically advanced/complicated exploits involving
getting physically close to people. You just open internet shop, list highend
multimedia equipment(TV, consoles, laptops, phones) at 30% off prices and spam
FB/coupon/deal sites.

------
_trampeltier
I wonder what the absolute limit would be. Could you buy something for like 1
Billion?

~~~
jaclaz
Well a VISA card has usually a (daily or monthly or both) drawing/spending
limit, the monthly usually being AFAIK in the 1,500-5,000 US$ or Euro range.

