Exposing security loopholes in modern contactless payments

The research published at the 34th USENIX Security Symposium, and presented at DEFCON 2025, details how the growing complexity of EMV contactless payments, used in 90% of in-store transactions worldwide, has uncovered new loopholes that fraudsters could exploit. Amongst these, they revealed serious flaws in certain types of contactless EMV payments, showing new ways to bypass safeguards and enable fraudulent high-value transactions. EMV is the global standard behind all types of Visa, Mastercard and Europay debit and credit cards, which are now also integrated into mobile wallets such as Apple Pay, Google Pay and Samsung Pay, as well as watches and other wearables. In one case, a payment terminal was made to accept a fraudulent £25,000 payment. 

Over the last decade, payment providers, card networks, terminal manufacturers and mobile platforms have independently added additional features on top of the EMV standard. These include restricting card readers that are offline (i.e., not connected to the Internet or plugged into the payment network) to transacting only with mobile devices, transit or transport modes that let commuters move quickly through barriers without unlocking their phones, as well as region-specific rules on how a PIN is input for high-value transactions. 

These new features are designed to improve convenience, or meet local regulations set by Payment Services, or support proprietary features by Google, Apple, or vendors of payment-PoS (point of sale). However, the study found that these features alone or often in interaction can lead to insecurities and, in turn, the possibility to make fraudulent payments. In practice, researchers were able to demonstrate ways to trick terminals into accepting a plastic card when only a phone should have been allowed, or to process payments above the £100 contactless limit without PIN or biometric checks. 

The study is the first of its kind to reveal critical weaknesses specifically in offline PoS widely used in shops, restaurants and taxis for their convenience. Researchers found that, for some readers, both proprietary restrictions and regulatory safeguards could be bypassed, opening the door to fraudulent transactions. In one striking example, they demonstrated that offline PoS make fraudulent high-value Mastercard payments much easier than expected. 

Some of the attacks highlighted a concerning possibility: so-called “free lunch” attacks, where fraudsters could walk away with high-value goods while merchants are left footing the bill when payments are later declined. 

The research team reported their findings to several parties in 2024 and helped develop EMV-compliant fixes for some of the most serious vulnerabilities.  

In the rapidly expanding world of contactless payments, and with modern mobile PoS introducing new operating models, the findings underscore the urgent need to scrutinise add-on payment features, raising concerns about hidden risks in system millions depend on every day. 

###

Notes to editors