In this paper we present an attack, which allows fraudulent
transactions to be collected from EMV contactless credit and debit
cards without the knowledge of the cardholder. The attack
exploits a previously unreported vulnerability in EMV protocol,
which allows EMV contactless cards to approve unlimited value
transactions without the cardholder’s PIN when the transaction is
carried out in a foreign currency. For example, we have found that
Visa credit cards will approve foreign currency transactions for
any amount up to €999,999.99 without the cardholder’s PIN, this
side-steps the £20 contactless transaction limit in the UK. This
paper outlines our analysis methodology that identified the flaw in
the EMV protocol, and presents a scenario in which fraudulent
transaction details are transmitted over the Internet to a “rogue
merchant” who then uses the transaction data to take money from
the victim’s account. In reality, the criminals would choose a
value between €100 and €200, which is low enough to be within
the victim’s balance and not to raise suspicion, but high enough to
make each attack worthwhile. The attack is novel in that it could
be operated on a large scale with multiple attackers collecting
fraudulent transactions for a central rogue merchant which can be
located anywhere in the world where EMV payments are
accepted.
more here.........http://homepages.cs.ncl.ac.uk/budi.arief/home.formal/Papers/CCS2014.pdf
transactions to be collected from EMV contactless credit and debit
cards without the knowledge of the cardholder. The attack
exploits a previously unreported vulnerability in EMV protocol,
which allows EMV contactless cards to approve unlimited value
transactions without the cardholder’s PIN when the transaction is
carried out in a foreign currency. For example, we have found that
Visa credit cards will approve foreign currency transactions for
any amount up to €999,999.99 without the cardholder’s PIN, this
side-steps the £20 contactless transaction limit in the UK. This
paper outlines our analysis methodology that identified the flaw in
the EMV protocol, and presents a scenario in which fraudulent
transaction details are transmitted over the Internet to a “rogue
merchant” who then uses the transaction data to take money from
the victim’s account. In reality, the criminals would choose a
value between €100 and €200, which is low enough to be within
the victim’s balance and not to raise suspicion, but high enough to
make each attack worthwhile. The attack is novel in that it could
be operated on a large scale with multiple attackers collecting
fraudulent transactions for a central rogue merchant which can be
located anywhere in the world where EMV payments are
accepted.
more here.........http://homepages.cs.ncl.ac.uk/budi.arief/home.formal/Papers/CCS2014.pdf