Visa flaw shows contactless payment still has its problems

The ‘wireless’ symbol shows the card can broadcast its contents. Philip Toscano/PA

Researchers have found the £20 limit for contactless payments with credit and debit cards can be tricked into accepting unlimited payments without entering a PIN number – when used with a foreign currency.

A team from Newcastle University exploited the flaw under laboratory conditions, and Visa acknowledged that the research was valid, but reinforced the idea that it wouldn’t work in real-world conditions, and that other, undisclosed safeguards would prevent this style of card fraud.

This system of contactless payment, which can be used with any card bearing the symbol above, was introduced in 2008. A much speedier transaction is possible just by touching the contactless chip in the card onto the chip and pin reader. The per-transaction limit is £20, but there’s no daily limit so the card could be used repeatedly until funds are exhausted. The idea is that this can be used for public transport and small purchases on the move.

In principle this is a great idea – I like it and often use it. The technology works by adding an RFID chip to the card, embedded within the plastic. These chips are activated by “near field” wireless communication (NFC) devices, the same technology used in the newly released Apple Pay scheme. The payment terminal generates a low-powered wireless field close to the device that activates a nearby chip such as in a card presented to it. The card provides its details and the transaction is completed without the need for a pin number.

This is a transaction based on trust, that hinges on the fairly low value of the transaction. If the bank suspects foul play, it can prompt for a pin number to confirm you are who you claim to be.

There have already been issues with near field devices. Some retailers’ readers have connected to and taken payment from the wrong cards. Some banks have changed their terms and conditions to state that removing the card from your wallet is your responsibility, in order to reduce their liability in such card mix-up disputes.

Now, Transport for London allows the use of these cards to pay for tube and bus journeys instead of the Oyster card system – essentially the same technology that’s been in use since 2003. The challenge is that many keep their oysters in the same wallet or purse as their other contactless cards. This issue is so common, there is now a phrase for it – card clash. Retailers have historically installed devices that have generated contact devices with wireless fields that are too powerful, and which could extract payments from cards that are just in passing pockets, rather than presented at the till.

Some smart entrepreneurs, spotting a gap in the market, offer RFID shielded wallets to prevent this issue. While the distribution of these devices is tightly regulated, it’s possible to lay a RFID trap by hiding a RFID reader with a wide wireless field to detect passing victims and their cards – something that some world travellers have already experienced, a concept known as ePickpocketing.

With Apple Pay and other contactless technologies now associated with or built into smartphones, everyone is trying to create a seamless service for all our financial needs. Others are considering alternate payment systems, based on the same technology – such as Barclaycard’s contactless wristband. Each comes with potential benefits and potential risks, and I’m not yet sure whether they are a great idea or just another beacon for thieves.