More is Less: Extra Features in Contactless Payments Break Security

• August 12, 2025
• Tom Chothia, University of Birmingham, UK; George Pavlides, University of Surrey

The EMV contactless payment system has many independent parties: payment providers, terminal companies, smartphone companies, banks and regulators. EMVCo publishes a 15 book specification that these companies use to operate together. However, many of these parties have independently added additional features, such as Square restricting offline readers to phone transactions only, Apple, Google and Samsung implementing transit modes and Visa and Mastercard complying with regional regulations on high value contactless payments. We investigate these features, and find that these parties have been independently retrofitting and overloading the core EMV specification. Subtle interactions and mismatches between the different companies’ additions lead to a range of vulnerabilities, making it possible to bypass restrictions to smartphone only payments, make unauthenticated high value transactions offline, and use a cloned card to make a £25000 transaction offline. To find fixes, we build formal models of the EMV protocol with the new features we investigated and test different possible solutions. We have engaged with EMV stakeholders and worked with the company Square to implement these fixes.

Speaker bios

Tom Chothia is a Professor of Cyber Security at the University of Birmingham, UK. His research involves the development of new mathematical analysis techniques and the application of these techniques to real world cyber security problems, this includes work on formal modelling, state machine learning, firmware analysis and the security of the Windows kernel.  His past work on the security of EMV, ApplePay, banking apps, pacemakers and video game cheats have all received widespread media coverage.

George Pavlides holds an MSc in Cybersecurity and Artificial Intelligence from the University of Sheffield, where he also received the Amazon Award for Best Overall Performance in the MSc program. His primary research interests include payment security, offensive AI and ethical hacking. George has been published at the top-tier USENIX Security Symposium and earned bug bounties for responsibly disclosed vulnerabilities.