Study finds contactless payment security loopholes
The study was led by the University of Surrey in collaboration with the University of Birmingham
- Published
Convenience features built into contactless payment systems are quietly undermining their security, a university study has found.
The research, led by the University of Surrey in collaboration with the University of Birmingham, exposed hidden weaknesses that allowed researchers to perform unauthorised high-value transactions.
Ioana Boureanu, head of the Surrey Centre for Cyber Security, said: "The industry has already made promising fixes but there is still a need for better coordination between providers to ensure convenience doesn't create new opportunities to fraud."
The research team said it reported their findings to several parties in 2024 and helped develop some fixes.
Features added to contactless payments to boost convenience include allowing offline transactions, transport modes that let commuters move quickly through barriers without unlocking their phones, and region-specific rules on how a PIN is input for high-value transactions.
However, the study found these features could lead to insecurities and, in turn, the possibility to make fraudulent payments.
In practice, researchers were able to demonstrate ways to trick terminals into accepting a plastic card when only a phone should have been allowed, or to process payments above a contactless limit without PIN or biometric checks.
In one case, a payment terminal was made to accept a fraudulent £25,000 payment, the University of Surrey said.
Tom Chothia, professor of cyber security at the University of Birmingham, said: "The issues we found are not about companies getting it wrong, but about how a system as complex as EMV [Europay, Mastercard, and Visa] can develop hidden cracks when new features are added independently.
"Working together, we can close those gaps and make contactless payments safer for everyone."
Mastercard and Visa have been contacted for a comment.
Follow BBC Surrey on Facebook, external, on X, external. Send your story ideas to southeasttoday@bbc.co.uk , external or WhatsApp us on 08081 002250.
- Published10 September
- Published14 September
- Published6 June
