Skip to main content

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards Without the PIN

Emms, Martin, Arief, Budi, Freitas, Leonardo, Hannon, Joseph, van Moorsel, Aad (2014) Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards Without the PIN. In: CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). CCS Computer and Communications Security . pp. 716-726. ACM, New York, USA ISBN 978-1-4503-2957-6. (doi:10.1145/2660267.2660312) (KAR id:54148)

Abstract

In this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder’s PIN when the transaction is carried out in a foreign currency. For example, we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder’s PIN, this side-steps the £20 contactless transaction limit in the UK. This paper outlines our analysis methodology that identified the flaw in the EMV protocol, and presents a scenario in which fraudulent transaction details are transmitted over the Internet to a “rogue merchant” who then uses the transaction data to take money from the victim’s account. In reality, the criminals would choose a value between €100 and €200, which is low enough to be within the victim’s balance and not to raise suspicion, but high enough to make each attack worthwhile. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted.

Item Type: Conference or workshop item (Proceeding)
DOI/Identification number: 10.1145/2660267.2660312
Uncontrolled keywords: EMV, contactless cards, foreign currency transaction limits, fraudulent transaction, rogue merchant
Subjects: Q Science > QA Mathematics (inc Computing science)
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Budi Arief
Date Deposited: 10 Feb 2016 18:02 UTC
Last Modified: 26 Mar 2021 14:18 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/54148 (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.