Researchers uncover vulnerabilities allowing fraudulent high-value contactless transactions

Convenience features built into contactless payment systems are quietly undermining their security, as a study led by the University of Surrey, in collaboration with the University of Birmingham, exposes hidden weaknesses that allowed researchers to perform unauthorized high-value transactions with some of the most modern contactless payment devices.

The research, published as part of the 34th USENIX Security Symposium, and set to be presented at DEFCON 2025 held in Bahrain Nov. 5–6, details how the growing complexity of EMV contactless payments, used in 90% of in-store transactions worldwide, has uncovered new loopholes that fraudsters could exploit.

The researchers revealed serious flaws in certain types of contactless EMV payments, showing new ways to bypass safeguards and enable fraudulent high-value transactions. EMV is the global standard behind all types of Visa, Mastercard and Europay debit and credit cards, which are now also integrated into mobile wallets such as Apple Pay, Google Pay and Samsung Pay, as well as watches and other wearables. In one case, a payment terminal was made to accept a fraudulent £25,000 payment.

Over the last decade, payment providers, card networks, terminal manufacturers and mobile platforms have independently added additional features on top of the EMV standard. These include restricting card readers that are offline (i.e., not connected to the Internet or plugged into the payment network) to transacting only with mobile devices, transit or transport modes that let commuters move quickly through barriers without unlocking their phones, as well as region-specific rules on how a PIN is input for high-value transactions.

These new features are designed to improve convenience, or meet local regulations set by Payment Services, or support proprietary features by Google, Apple, or vendors of payment-PoS (point of sale). However, the study found that these features alone, or often in interaction, can lead to insecurities and, in turn, the possibility of making fraudulent payments.

In practice, researchers were able to demonstrate ways to trick terminals into accepting a plastic card when only a phone should have been allowed, or to process payments above the £100 contactless limit without PIN or biometric checks.

Professor Ioana Boureanu says, "Contactless payments have become standard practice for millions of us, seemingly exploding in popularity overnight during the pandemic. Since then, we've seen a patchwork of new features added by different payment providers, often for the right reasons, but not always with consideration for how they interact.

"Our research shows that this rush to add new features to improve the shopping experience or to support new use cases has sometimes come at the cost of security. Regarding our findings, the industry has already made promising fixes but there is still a need for better coordination between providers to ensure convenience doesn't create new opportunities for fraud."

The study is the first of its kind to reveal critical weaknesses specifically in offline PoS widely used in shops, restaurants and taxis for their convenience. Researchers found that, for some readers, both proprietary restrictions and regulatory safeguards could be bypassed, opening the door to fraudulent transactions. In one striking example, they demonstrated that offline PoS makes fraudulent high-value Mastercard payments much easier than expected.

Some of the attacks highlighted a concerning possibility: so-called "free lunch" attacks, where fraudsters could walk away with high-value goods while merchants are left footing the bill when payments are later declined.

The research team reported their findings to several parties in 2024 and helped develop EMV-compliant fixes for some of the most serious vulnerabilities.

"The issues we found are not about companies getting it wrong, but about how a system as complex as EMV can develop hidden cracks when new features are added independently. Working together, we can close those gaps and make contactless payments safer for everyone," says Tom Chothia.

In the rapidly expanding world of contactless payments, and with modern mobile PoS introducing new operating models, the findings underscore the urgent need to scrutinize add-on payment features, raising concerns about hidden risks in system millions depend on every day.