Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

Posted by samzenpus on from the have-some-money dept.

New submitter biomass writes with news about a flaw in Visa's contactless card that lets anyone charge $999,999 to it. According to researchers at Newcastle University in the UK, the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99. "With just a mobile phone we created a POS terminal that could read a card through a wallet," Martin Emms, lead researcher of the project that uncovered the flaw, noted in a statement about the findings. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."

2 of 126 comments (clear)

  1. Re:Well... no. by taustin · · Score: 4, Insightful

    Sounds like if you can find a store that is currently offline (which is rare) you can rip off the store for goods purchased, and that's about it.

    It's useless for the thief to directly charge a card unless the thief also has a merchant account, which are not exactly trivial to sign up for, what with credit checks and all.

    And these people obviously have no clue how offline transactions actually work. They're held in the POS station until they get uploaded, where they get all the normal verifications before they are processed and the money deposited in the merchant's account.

    Other than ripping off a merchant in some way (and that would require a coordinated effort on the part of someone with a portable card reader and someone else at the cash register), there is no risk here whatsoever. Nothing but FUD, deliberately fostering hysteria to sell advertising. In other words, in the world of "journalism", it's a day that ends in "y".

  2. Re:Well... no. by Applehu+Akbar · · Score: 3, Insightful

    That's why even if you have a Near Field Communications equipped card like Chase Freedom, you don't want to use it directly. Scan it once, into Apple Pay, and then use that implementation of the NFC standard to present the card to merchants without having them see your card. Apple's security is added to whatever security the credit card has, and your fingerprint is required to complete the transaction.