> Positive Technologies found that both of these checks can be bypassed using a device which intercepts communication between the card and the payment terminal. This device acts as a proxy and is known to conduct man in the middle (MITM) attacks. First, the device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.
That's the first time I hear about RFID/NFC MITM, neat.
> That's the first time I hear about RFID/NFC MITM, neat.
That's been a thing for quite a few years now in the context of pentesting, e.g. for badge cloning / proxying for access control systems, see for example [1] for an overview presentation. There's quite a few BlackHat talks on that space that give a good overview at this point. This attack is intruiging since it circumvents more complex measures by manipulating the communication and obviously has practical and direct impact on a monetary asset.
I've read elsewhere ([2], German) that Visa declines to fix this with the explanation that it would require attackers to steal the card in the first place and is technologically too complex to be seen in the real world, which is kind of weird. The hardware required is pretty accessible at this point but I guess their risk assessment determined that the actually occurring fraud with this method is currently not worth fixing anything.
At the time those cards came out I was very skeptical about their safety (and of course have been called paranoid/excessive/etc. by everyone).
After all I wasn't that much off, my theory was that anyone in a crowded environment (bus, train, etc.) could get a "payment" by simply being "near" the card (be it in a wallet , in your pocket or in a bag).
The objection was that there were much more sophisticated controls by Visa on the "other side" (reputability of the account where the money would go, etc. ) and that the sheer number of micro-payments needed to make the theft profitable (and thus the number of complains) would have easily triggered off the various automated alarms.
But if someone can obtain a Visa/bank account and credit it with a small number of (delinquent) transactions each of relatively high amount, get the money and close the account in a short time it can probably become viable.
There is no fraudulent transaction, or - probably saying it better - any transaction is not fraudulent until it is detected as such or reported as such.
The whole point of the (rightful) "objection" I mentioned is that there are mechanisms of alarm that would be triggered by - say - a new (delinquent) account receiving one hundred 25 US$ (or Euros) transactions (and no other transaction) in a small amount of time and then, a few hours or days later the sum is transferred to another account and cashed or spent.
But if it is a couple transactions of 1,500 US$ each (or whatever sum that - while being substantial - is below a given triggering alert level) would the alarm be triggered?
Or will it be triggered only after - say - 2/3 of the credit is spent?
If you manage to get a merchant account (mule, homeless credentials) you dont need additional technologically advanced/complicated exploits involving getting physically close to people. You just open internet shop, list highend multimedia equipment(TV, consoles, laptops, phones) at 30% off prices and spam FB/coupon/deal sites.
Well a VISA card has usually a (daily or monthly or both) drawing/spending limit, the monthly usually being AFAIK in the 1,500-5,000 US$ or Euro range.
That's the first time I hear about RFID/NFC MITM, neat.