Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

Posted by samzenpus on from the have-some-money dept.

New submitter biomass writes with news about a flaw in Visa's contactless card that lets anyone charge $999,999 to it. According to researchers at Newcastle University in the UK, the card system developed by VISA for use in the United Kingdom fails to recognize transactions made in non-UK foreign currencies and can therefore be tricked into approving any transaction up to 999,999.99. "With just a mobile phone we created a POS terminal that could read a card through a wallet," Martin Emms, lead researcher of the project that uncovered the flaw, noted in a statement about the findings. "All the checks are carried out on the card rather than the terminal so at the point of transaction, there is nothing to raise suspicions. By pre-setting the amount you want to transfer, you can bump your mobile against someone's pocket or swipe your phone over a wallet left on a table and approve a transaction."

3 of 126 comments (clear)

  1. Re:Well... no. by Adriax · · Score: 4, Interesting

    Up to. Meaning $0-$999,999.
    Script a repeated transaction preload for $5 on a device then go wait at a chokepoint to any high traffic area. Subway, airport, shopping center, sports stadium, ect...

    You could rake in quite a lot in a short timeframe doing that.

    --
    I don't suffer from insanity, I enjoy every minute of it!
  2. Re:Good by TWX · · Score: 3, Interesting

    The problem is that no one wants to do a touch technique that also integrates a chip-and-pin setup. They want either mag-stripe (ie, US-style) or radio chip and pin (Europe, probably elsewhere).

    If it's any consolation I'm a little bummed about the use of RFID in so many things that really should be secure, like passports. Fortunately I got mine issued in those last couple of months before they went RFID, but my wife's renewal is RFID-equipped so we had to get a faraday cage sleeve for it. Mine will expire soon enough that I'll probably also have to get a faraday cage sleeve soon.

    I'd love to get one of those stainless-steel woven wallets, but I expect they're a pain in the ass to travel with, as they'll probably be searched every time they go through the X-ray machine.

    --
    Do not look into laser with remaining eye.
  3. Re:Well... no. by Anonymous Coward · · Score: 2, Interesting

    There are 90.5 credit cards in the UK, with Visa owning about 49.6 percent market share.

    Given your 99.999% figure, that means there are 288 (or fewer) cards out there that are authorized for over $1000000.

    There are 104 billionaires in the UK, and 10,000 multi-millionaires. It seems, then, that 288 is actually a pretty reasonable number. Nice job.