Researchers from the University of Surrey and the University of Birmingham have uncovered serious security weaknesses in modern contactless payment systems—vulnerabilities that could allow criminals to make unauthorized, high-value transactions.
The study, which will be presented at the DEFCON 2025 conference in Bahrain, reveals how features designed to make payments faster and more convenient may also be quietly undermining their safety.
Published as part of the 34th USENIX Security Symposium, the research found that the growing complexity of EMV contactless payments—used in roughly 90% of in-store transactions worldwide—has opened up new loopholes.
EMV is the global payment standard that powers Visa, Mastercard, and Europay cards, as well as mobile wallets such as Apple Pay, Google Pay, Samsung Pay, and wearable payment devices.
The team discovered that by manipulating how certain contactless features interact, they could bypass safety checks that normally prevent large payments without PIN or biometric verification.
In one test, they successfully tricked a payment terminal into accepting a fraudulent £25,000 transaction.
Over the years, different card networks, mobile platforms, and payment terminal manufacturers have each added new features to improve user experience.
For example, some offline terminals—used in places like taxis, restaurants, or rural areas—are programmed to work only with mobile wallets rather than physical cards.
Others include special “transit” modes that let commuters tap their phones without unlocking them. While these updates were intended to make life easier, the study found that when combined, such features can create security holes that hackers might exploit.
Professor Ioana Boureanu, one of the lead researchers, explained that the explosion of contactless payments during the pandemic accelerated the addition of new features.
“Many were introduced for the right reasons—to improve convenience or meet regional regulations—but not all were designed with a full understanding of how they interact. Our research shows that convenience sometimes comes at the cost of security.”
In some cases, the researchers were able to make a card appear to be a phone, tricking the system into approving transactions that should have required extra authentication. They also identified vulnerabilities that made fraudulent high-value Mastercard payments easier on certain offline terminals. These “free lunch” attacks, as the researchers call them, could allow fraudsters to walk away with expensive goods while merchants later discover the payment was declined.
The researchers reported their findings in 2024 to banks, payment processors, and card networks, many of which have since implemented EMV-compliant fixes. However, the study emphasizes that better coordination among financial institutions is still needed.
“Contactless systems have become incredibly complex,” said co-author Dr. Tom Chothia. “These problems aren’t the result of negligence but of complexity. The challenge now is ensuring all providers work together to close these gaps so that convenience doesn’t come at the expense of security.”
