Last Updated: 2014-11-04 00:39:11 UTC
by Daniel Wesemann (Version: 1)
Newcastle (UK) University researchers claim to have found an exploit for the "contactless" payment feature of Visa cards. One of the fraud prevention features of these cards is that only small amounts can be charged in "touch mode", without requiring a PIN. But the researchers say that simply changing the currency seems to evade these precautions completely, and they built a fake POS terminal into a smart phone that apparently can swipe money from unsuspecting victims just by getting close enough to their wallet.
According to the press release, VISA's response was that "they believe that the results of this research could not be replicated outside a lab environment". Unfortunately, there ain't too many cases in security engineering history where such a claim held for more than a day or three. If this attack turns out to be true and usable in real life, Visa's design will go down into the annals of engineering screwups on par with NASA's "Mars Climate Orbiter", where the trajectory was computed in inches and feet, while the thruster logic expected metric information.
Needless to say that the latter episode didn't end all that well.