Toggle Main Menu Toggle Search

Open Access padlockePrints

Harvesting high value foreign currency transactions from EMV contactless cards without the PIN

Lookup NU author(s): Dr Martin Emms, Dr Leonardus Arief, Dr Leo Freitas, Joe Hannon, Professor Aad van Moorsel



In this paper we present an attack which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder's PIN when the transaction is carried out in a foreign currency. For example, we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder's PIN, this side-steps the £20 contactless transaction limit in the UK. In reality, the criminals would choose a value between €100 and €200, which is low enough to be within the victim's balance and not to raise suspicion, but high enough to make each attack worthwhile. This paper outlines a scenario in which fraudulent transaction details are transmitted over the Internet to a "rogue merchant" who then uses the transaction data to take money from the victim's account. The attack described in this paper differs from previously identified attacks on EMV cards, in that it can be used to directly access money from EMV cards rather than to buy goods. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted.

Publication metadata

Author(s): Emms M, Arief B, Freitas L, Hannon J, van Moorsel A

Publication type: Report

Publication status: Published

Series Title: School of Computing Science Technical Report Series

Year: 2014

Pages: 8

Print publication date: 14/05/2014

Source Publication Date: May 2014

Report Number: 1421

Institution: School of Computing Science, University of Newcastle upon Tyne

Place Published: Newcastle upon Tyne