(Newswire.net — November 4, 2014) — Arizona – A new microchip allow users to swipe a card without punching in the security code. This allows users to quickly and comfortably pay a bill up to $31, however, that is the root of the major flaw, experts said.
Newcastle University researchers presented on Monday, at ACM Conference on Computer and Communications Security, a report that showed the chips do not recognize limits with foreign currency transactions.
According to researchers, all it takes is a bump against another person’s pocket, where the card can communicate with something like a smartphone. There is a $31 limit, however, any foreign currency transfer is limitless. Researchers demonstrated the action proving that it takes less than a second for that transaction to be approved.
The purpose of the research is too find the holes and fix them before they can be exploited by criminals, said Professor Aad van Moorsel head of Newcastle University’s School of Computing Science and author of the report, as quoted by Wired.
He said that if they can find flaws, criminals will be able to do that as well. Magnetic strip cards still represent the best security since they required terminal authentication therefore is less vulnerable. The microchip can be accessed without contact and the card is always “on,” meaning accidental communication with other devices is possible, said Aad van Moorsel.
Researchers warned that there might be hundreds of criminal companies located anywhere in the world with multiple attackers across the world collecting small transactions of perhaps €200 at a time.
“This previously undocumented flaw around foreign currency, combined with the lack of POS terminal authentication and the ease of skimming contactless credit cards, makes the system more vulnerable to high-value attacks,” Martin Emms, the lead researcher on the project, said in a Newcastle University press statement.
So called EMV system (Europay, MasterCard and Visa) with Chip-n-Pin cards, are scheduled to be rolled out in the United States in 2015 as part of an effort to bring security to a higher level, however, Emms warned that US officials have not tested the back end of the system.
“It is not clear from reading the payment protocol how banks would deal with the inconsistencies we have found through our research,” he said, “hence we believe the vulnerability poses a potential threat.”