In recent years, contactless payment technologies have revolutionized consumer transactions, becoming the default method for millions worldwide. Riding on the back of convenience and speed, these systems utilize EMV (Europay, Mastercard, and Visa) standards, integrated into cards, smartphones, and wearable devices, to facilitate smooth, tap-and-go payments. However, groundbreaking research led by the University of Surrey, in collaboration with the University of Birmingham, has revealed alarming security vulnerabilities burrowed deep within these contactless systems. Presented at the prestigious USENIX Security Symposium and DEFCON 2025, this work exposes how the very features designed to enhance user experience inadvertently open doors for high-value fraud.
The EMV standard governs nearly 90 percent of all in-store debit and credit card transactions globally, underpinning the core of both physical card and mobile payment operations. Its adoption in contactless payments has sparked unprecedented growth, but as this study highlights, the rampant addition of proprietary and regulatory features layered atop the standard threatens to undermine the robust security EMV was originally designed to provide. Payment networks, terminal manufacturers, and service providers have independently introduced modifications — such as functionality tailored for offline terminals, transit-mode transactions, and varying PIN input restrictions depending on regions — without fully considering their interplay or cumulative security impact.
These incremental modifications, while well-intentioned and geared towards convenience or local regulatory compliance, have converged to produce complex, sometimes contradictory interactions that undermine foundational security assumptions. For instance, the research uncovered scenarios where an offline terminal, expected to only transact with mobile devices, can be tricked into accepting transactions made using physical plastic cards. Even more alarming was the ability to bypass safeguards that limit contactless payments above certain thresholds—such as the ubiquitous £100 limit—without triggering required PIN or biometric authentication checks.
A particularly striking manifestation of these vulnerabilities allowed researchers to fabricate a fraudulent transaction worth £25,000, accepted by a payment terminal that should have otherwise flagged or rejected high-value contactless attempts. This finding illuminates a dangerous discrepancy where offline terminals, prized for their convenience and speed in venues like restaurants, taxis, and shops, become enticing targets for fraudsters. Because these terminals do not communicate with central networks at the time of payment, there is an opportunity to exploit their transactions asynchronously, leading to later payment declines and financial losses for merchants.
The study also illuminated the phenomenon dubbed “free lunch” attacks, in which criminals could walk away with expensive goods without immediate payment authorization. These exploits rely on the delayed nature of offline payment validation, resulting in merchants being left to absorb the costs once fraudulent transactions are declined post-facto. The implications for the retail ecosystem are profound, highlighting how an emphasis on usability can create systemic risks that ripple through the supply chain.
Technically, these vulnerabilities stem from the fragmentation of the EMV system architecture in recent years. As new features were appended individually by providers without concerted coordination, loopholes emerged in the protocols that validate card-reader-device interactions. For example, some devices fail to enforce stringent mode restrictions consistently, thereby allowing devices originally restricted to mobile phones to accept legacy card formats. Similarly, regional variances in PIN enforcement logic create gaps for attackers to circumvent controls intended for high-value payment flows.
Dr. Ioana Boureanu, Professor of Secure Systems and Director at the Surrey Centre for Cyber Security, underscores that the proliferation of contactless payments during the COVID-19 pandemic accelerated the addition of diverse features to cater to emerging use cases. “Our findings show that while these features aim to enrich the user experience, the isolated development without holistic security scrutiny inadvertently cultivates vulnerabilities,” she says. The research team has since collaborated with industry stakeholders to devise and implement EMV-compliant mitigations addressing the most severe flaws, but the challenge of harmonizing convenience with security remains.
The University of Birmingham’s Professor Tom Chothia points out, “This is not a failure of companies, but a natural consequence of an increasingly complex payment ecosystem where independent evolutions collide. Only through collaborative efforts can the entire ecosystem reinforce its defenses.” Their research acts as a clarion call for more rigorous joint standardization efforts and comprehensive testing to safeguard against emerging attack vectors as contactless systems continue to evolve rapidly.
Operationally, the implications extend beyond just the technical realm. Retailers employing offline point-of-sale terminals face increased exposure as they become susceptible to sophisticated fraud schemes. Payment providers and terminal manufacturers are therefore pressed to reconcile the tension between enabling offline convenience and enforcing real-time security checks. Moreover, the intricacies posed by region-specific rules and proprietary vendor protocols compound the difficulty of securing a globally coherent and resilient payment infrastructure.
This investigation also challenges the prevailing assumption that contactless payment systems, especially those integrated into mobile wallets and wearables like Apple Pay and Samsung Pay, inherently offer enhanced security over traditional plastic cards. By revealing that similar or analogous flaws can be exploited across these device families, the research advocates for a security-first approach in future feature rollouts and regulatory frameworks.
Looking ahead, the research underscores an urgent priority: a systematic assessment and overhaul of “add-on” features layered atop EMV to preemptively patch hidden cracks before adversaries exploit them. Such an effort requires cooperation among payment networks, hardware and software vendors, regulators, and academic researchers. Only through transparency and joint innovation can contactless payment infrastructures achieve the dual imperatives of convenience and invulnerability essential for sustaining consumer trust.
In an age where digital payments are ubiquitous and rapidly evolving, this groundbreaking study serves as a timely reminder that technological sophistication must be matched with meticulous security hygiene. The stakes extend not just to preventing financial fraud but preserving the integrity of modern commerce at large. As contactless payments edge toward near-universal adoption, globally coordinated vigilance is critical to ensuring that the convenience we rely on daily does not gradually turn into a gateway for escalating fraud.
Subject of Research: Security vulnerabilities in contactless EMV payment systems caused by additional convenience and regulatory features.
Article Title: More is Less: Extra Features in Contactless Payments Break Security
News Publication Date: 2024
Web References:
USENIX Security Symposium Presentation
Keywords: Financial services, Security policy, Fraud
