Using your cell phone or bank card to pay contactlessly has become a daily routine for millions of consumers. Fast, practical and without the need for physical cash or entering a password for each transaction, the contactless system is today one of the most used payment methods.
However, the same technology that simplifies shopping can also open unexpected security holes. An investigation conducted by teams from the University of Surrey and the University of Birmingham, in the United Kingdom, identified vulnerabilities that could allow unauthorized payments to be carried out, including high-value transactions.
According to researchers, these weaknesses are not the result of direct errors by companies, but rather the growing complexity of the system.
How contactless payment works
Contactless payment is based on NFC (Near Field Communication) technology, which allows bank cards, smartphones and other smart devices to communicate with the payment terminal just by contact.
With this evolution, it is no longer necessary to insert the card into the terminal or enter the PIN for all purchases. In many cases, simply bringing the device closer to complete the operation.
In addition to cards, cell phones themselves now function as digital wallets, making the process even faster and more convenient.
What the investigation found
The study by British universities concluded that some recent features, created to improve the user experience, can reduce protection mechanisms.
Among the factors identified are:
- possibility of making payments even without network coverage;
- transactions without needing to unlock your cell phone;
- different rules on when a PIN should be requested on high-value purchases.
According to researchers, these facilities, although useful in everyday life, can be exploited to circumvent security controls.
Fraudulent payments and high amounts
During testing, the team managed to trick payment terminals in several ways.
Researchers have demonstrated that it is possible:
- making a terminal accept a credit card when it should only allow payments by cell phone;
- Process payments over the limit contactless without biometric verification or PIN entry.
In one reported case, a terminal accepted a fraudulent payment of £25,000, according to the University of Surrey.
“Convenience cannot compromise security”
Ioana Boureanu, director of the Surrey Cybersecurity Centre, warns of the risks of prioritizing speed over user protection.
“Our research shows that rushing to introduce new features to improve the shopping experience or new ways of using them sometimes comes at the expense of our security,” he said.
Despite recognizing recent advances, he emphasizes that there is still work to be done:
“The industry has already introduced promising improvements, but better coordination among providers continues to be needed to ensure that convenience does not generate new opportunities for fraud.”
Failures are not the direct fault of companies
The researchers are keen to emphasize that the problems detected are not the result of negligence on the part of the brands.
Tom Chothia, another member of the project, explains: “The problems we detected are not due to company errors, but to the fact that a system as complex as EMV [Europay, Mastercard e Visa] can develop hidden flaws when new functions are added independently.”
The team communicated the conclusions to the entities involved in 2024 and collaborated in the development of some solutions.
Although the study does not indicate that all payments are compromised, it does show that the security of contactless systems depends on a delicate balance between ease of use and fraud protection.
As physical money loses ground and mobile payments become dominant, experts advocate greater technical coordination and reinforcement of verification mechanisms, so that convenience does not translate into financial risk.
For consumers, the message is clear: contactless is practical, but it is not foolproof.
