New Hack Targets Contactless Card Limits

According to a recent article on, researchers at a cybersecurity firm in the United Kingdom have discovered a Visa card hack that allows thieves to drain your bank account with a form of digital theft known as card skimming. Read on for a synopsis of the article, and see the full piece for complete details.


PIN numbers and low limits are supposed to protect your Visa card. But do they?

You’ve probably noticed that you usually don’t have to enter your PIN number or provide a signature when making a charge on your credit or debit card. That’s because most cards don’t require verification for transactions under a certain amount, called the floor limit. In the U.K., that amount is £30 on Visa cards. It’s $100 in the United States. One reason for the lack of PIN or signature verification is convenience. It’s faster to tap a card and be done with a purchase than to provide a signature or enter a PIN. The low limit prevents thieves from pulling all the money out of your account with one transaction. To get around this, crooks may try to make multiple charges right at the limit. When the bank sees repeated transactions for that amount, it deactivates the card. But RFID skimmers now have a way to get past the built-in safety mechanism.


A homemade RFID reader could let crooks hack contactless payment security.

Here’s how the hack works: An RFID hacker scans your credit card using a homemade reader. Usually, cards require verification with a PIN number for big charges. But the hacker’s device can send messages to the card and/or terminal indicating that verification isn’t necessary or has already occurred. Then the transaction goes through and the thief gets your money. The article from Forbes claims that researchers were able to steal about three times the limit in a single purchase. Transactions of that size wouldn’t trigger any action by the bank, so it’s possible that someone could make a few reasonable charges and pull several hundred dollars, maybe more, from your account.


This hack isn’t limited to contactless payment cards.

Smartphones are also susceptible to skimming attacks. A thief can simply scan and relay your contactless card and obtain the digital token it uses to authorize transactions. The skimmer then sends the digital token to another phone, which can be used to make contactless payments in amounts greater than the limit.


Cardholders in the United States are vulnerable too.

Although the researchers discovered this hack in the U.K., it's not limited to that region. Cards in the United States are also vulnerable to skimming hacks. 


Visa isn’t working on a solution.

Visa doesn’t plan to do anything about the hack. They say thieves are unlikely to try it because they’d have to get ahold of a card (actually, they’d just have to scan it). Visa also claims fraud with contactless payment cards is declining, but the article lists stats that show otherwise.


You don’t have to be vulnerable to card skimming or security hacks.

Fortunately, you can thwart the contactless payment card hack. Keeping your payment cards inside an RFID-blocking wallet secures them from skimming. Thieves won’t be able to scan your cards in the first place, so they’ll never be able to use the hack. You can also check your bank statements frequently to identify fraudulent charges. Eventually, your bank might discover a bogus transaction, but it’s likely much safer to look out for them on your own.