Common convenience features that are built into various contactless payment systems are seemingly undermining their security, according to recent university study. The research, which has reportedly been led by the University of Surrey with assistance from the University of Birmingham, appears to have exposed so-called hidden weaknesses that enable the research team to carry out unauthorised high-value transfers.
Ioana Boureanu, the head of the Surrey Centre for Cyber Security, acknowledged that payments industry has made seemingly promising fixes but there is still a pressing need for improved coordination between service providers in order to ensure convenience does not lead to opportunities for bad actors to engage in fraudulent activities.
The researchers said they shared their findings with various parties in 2024 and assisted in the development of certain fixes.
As first reported by BBC, features that had been added to contactless payments to enhance convenience include enabling offline transfers, transport modes that allow commuters to move quickly through barriers without having to unlock their smartphones, as well as region-specific guidelines on how a PIN is required for relatively high-value transfers.
But the research study determined that such features might result in significant insecurities and, therefore, the potential to carry out fraudulent transactions.
As noted in the update, the research team had been able to demonstrate ways to trick terminals into taking a plastic card when only a smartphone should have been permitted, or to process certain transfers above a contactless limit without needing any PIN or biometric verifications.
In a notable example, a payment terminal had been made to accept a fraudulent £25,000 transfer, the University of Surrey revealed.
Tom Chothia, professor of cybersecurity at the University of Birmingham, shared that the issues they had found are not about firms getting it wrong, but rather about how a system as complex as EMV (Europay, Mastercard, and Visa) can have cracks when new features are introduced independently.
Chothia added that working cooperatively, they would be able to reliably close those gaps and make contactless payments more secure for consumers.
A Visa rep claimed that contactless payments are still among the safest options for consumers. They pointed out that in nations where contactless payments are used quite often, fraud at the point of sale has been fairly low. Visa also clarified that should something go wrong, cardholders are being protected under the so-called zero liability policy.