Visa’s contactless credit cards are at risk of attack due to a flaw that means they will process unlimited cash transactions without asking for a PIN.
Experts from Newcastle University discovered that if the money is requested in a foreign currency, the cards will approve transactions of up to 999,999.99 in any of these currencies.
This sidesteps the current £20 contactless limit imposed on the technology - and transactions can be carried out even if the card is still in the victim’s pocket or bag.
Presenting their research at the CCS 2014 academic conference in Arizona, the Newcastle team said this flaw could open the door to potential fraud by criminals who are constantly looking for ways to breach the systems.
‘With just a mobile phone we created a POS terminal that could read a card through a wallet,’ explained Martin Emms, lead researcher on the project.
‘All the checks are carried out on the card rather than the terminal, so at the point of transaction, there is nothing to raise suspicions.
‘By pre-setting the amount you want to transfer, you can bump your mobile against someone’s pocket or swipe your phone over a wallet left on a table and approve a transaction.
‘In our tests, it took less than a second for the transaction to be approved.’
The researchers continued that they have not yet tested the back end of the system, and stressed it is likely banks will use security systems to prevent this kind of fraud.
‘Nevertheless, our research has identified a real vulnerability in the payment protocol, which could open the door to ... fraud by criminals who are constantly looking for ways to breach the system,’ Mr Emms said.
‘The fact that we can bypass the £20 limit makes this new hack potentially very scalable and lucrative.
'All a criminal would need to do is set up somewhere like an airport or the London underground where the use of different currencies would appear legitimate.’
The ability to buy items costing up to £20 without the need to insert a card and input a PIN has proved popular, despite initial fears over security.
Introduced for speed and customer convenience, the safeguards built into the Europay, MasterCard and Visa (EMV) system limit the maximum value allowed for each contactless transaction to £20.
Any amount over £20 requires the cardholder to enter their PIN.
During the Newcastle team's research, once the ‘rogue POS terminal’ had been set up - either on a mobile phone or a system similar to those placed illegally on ATM machines - they were able to input the amount they wanted to transfer.
When touched against the card, the transaction was automatically approved and a code was supplied by the card - all in less than a second.
This code would then be sent back to the bank to free up the funds.
‘This [flaw] lends itself to multiple attackers across the world collecting small transactions of perhaps €200 at a time for a central rogue merchant who could be located anywhere in the world,’ continued Mr Emms, who is based in the university’s Centre for Cybercrime and Computer Security.
‘This previously undocumented flaw around foreign currency, combined with the lack of POS terminal authentication, and the ease of skimming contactless credit cards, makes the system more vulnerable to high-value attacks.’
Professor Aad van Moorsel, head of the School of Computing Science at Newcastle University and one of the authors on the paper, added: ‘At the moment, the lowest hanging fruit with regard to payment card fraud is the magnetic stripe.
‘With the magnetic stripe option currently being phased out, the next target that criminals will aim for is the contactless payment feature.
‘If we can find flaws in contactless payment, then they will be able to do that as well. That is the purpose of our research: to find the holes and fix them before they can be exploited.’
But a spokesman for Visa Europe told MailOnline: 'We have reviewed Newcastle's findings as part of our continued focus on security and beating payments fraud.
'The research does not take into account the multiple safeguards put into place throughout the Visa system, each of which must be met in order to make a transaction possible in the real world.
For these reasons we do not believe the findings to be a cause for concern, as it would be very difficult to complete a fraudulent payment of this kind outside a laboratory environment.'
It added that the firm is 'updating the safeguards in the payment system' to require more transactions to come online for authentication, which would make this kind of attack more difficult.