$1mn per card: Major flaw detected in new credit, debit cards
During a presentation at the ACM Conference on Computer and Communications Security in Arizona on Monday, Newcastle University scientists presented a paper that showed flaws in microchip credit and debit cards. With the new microchip cards, users can just swipe the chip for transactions up to $31, for speed and convenience.
However, researchers found the chips do not recognize limits with foreign currency transactions. Just by pre-setting the amount you want to transfer on a mobile phone, all it takes is a bump against another person’s pocket – where the card can communicate with something like a smartphone – to approve the release of hundreds of thousands in foreign currency. In tests conducted, these types of transactions took less than a second to be approved.
Got a new, more secured debit card with a microchip in it from my bank. What security they are so concerned about? ₹116.30 in my account ?
— Ank (@_Ankkit) October 31, 2014
“At the moment, the lowest hanging fruit with regard to payment card fraud is the magnetic stripe,” said Professor Aad van Moorsel, head of Newcastle University’s School of Computing Science and author of the report, as quoted by Wired.
“With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature. If we can find flaws...they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited,” he added.
Since the microchip cards do not require terminal authentication or a PIN number, they are particularly vulnerable to fraudulent charges. Additionally, the card is always “on,” meaning accidental communication with other devices is possible.
My debit card was "compromised" - hoping the new microchip technology will help end debit card fraud http://bit.ly/dNIks
— Chaya Cooperberg (@chayacoop) August 7, 2009
“This lends itself to multiple attackers across the world collecting small transactions of perhaps €200 at a time for a central rogue merchant who could be located anywhere in the world,” Martin Emms, the lead researcher on the project, said in a Newcastle University press statement. “This previously undocumented flaw around foreign currency, combined with the lack of POS terminal authentication and the ease of skimming contactless credit cards, makes the system more vulnerable to high-value attacks.”
These cards – also known as Chip-n-Pin cards or as the EMV system (Europay, MasterCard and Visa) – are scheduled to be rolled out in the United States in 2015, as part of an effort to undermine large-scale credit card breaches – such as those at Target and other retailers – which criminals have exploited for lucrative gains.
I can't wait until they're instantly uploaded via a debit card swipe microchip implant into our frontal cortexes (I'm sure in a few years)..
— Mark Allen (@_MarkAllen) July 12, 2012
Emms said they have not tested the back end of the system and they acknowledge that banks will have a number of security systems in place to prevent fraud.
“It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research,” he said, “hence we believe the vulnerability poses a potential threat.”