Exposing security loopholes in modern contactless payments

University of Surrey

FacebookXLinkedInWeChatBlueskyMessageWhatsAppEmail

Convenience features built into contactless payment systems are quietly undermining their security, as a study led by the University of Surrey, in collaboration with the University of Birmingham, exposes hidden weaknesses that allowed researchers to perform unauthorised high-value transactions with some of the most modern contactless payment devices.  

The research published at the 34th USENIX Security Symposium, and presented at DEFCON 2025, details how the growing complexity of EMV contactless payments, used in 90% of in-store transactions worldwide, has uncovered new loopholes that fraudsters could exploit. Amongst these, they revealed serious flaws in certain types of contactless EMV payments, showing new ways to bypass safeguards and enable fraudulent high-value transactions. EMV is the global standard behind all types of Visa, Mastercard and Europay debit and credit cards, which are now also integrated into mobile wallets such as Apple Pay, Google Pay and Samsung Pay, as well as watches and other wearables. In one case, a payment terminal was made to accept a fraudulent £25,000 payment. 

Over the last decade, payment providers, card networks, terminal manufacturers and mobile platforms have independently added additional features on top of the EMV standard. These include restricting card readers that are offline (i.e., not connected to the Internet or plugged into the payment network) to transacting only with mobile devices, transit or transport modes that let commuters move quickly through barriers without unlocking their phones, as well as region-specific rules on how a PIN is input for high-value transactions. 

These new features are designed to improve convenience, or meet local regulations set by Payment Services, or support proprietary features by Google, Apple, or vendors of payment-PoS (point of sale). However, the study found that these features alone or often in interaction can lead to insecurities and, in turn, the possibility to make fraudulent payments. In practice, researchers were able to demonstrate ways to trick terminals into accepting a plastic card when only a phone should have been allowed, or to process payments above the £100 contactless limit without PIN or biometric checks. 

Ioana Boureanu, Professor of Secure Systems, Director of the Surrey Centre for Cyber Security and co-author of the paper, said: 

“Contactless payments have become standard practice for millions of us, seemingly exploding in popularity overnight during the pandemic. Since then, we’ve seen a patchwork of new features added by different payment providers, often for the right reasons, but not always with consideration for how they interact. Our research shows that this rush to add new features to improve the shopping experience or to support new uses cases has sometimes come at the cost of security. Regarding our findings, the industry has already made promising fixes but there is still a need for better coordination between providers to ensure convenience doesn’t create new opportunities for fraud.” 

The study is the first of its kind to reveal critical weaknesses specifically in offline PoS widely used in shops, restaurants and taxis for their convenience. Researchers found that, for some readers, both proprietary restrictions and regulatory safeguards could be bypassed, opening the door to fraudulent transactions. In one striking example, they demonstrated that offline PoS make fraudulent high-value Mastercard payments much easier than expected. 

Some of the attacks highlighted a concerning possibility: so-called “free lunch” attacks, where fraudsters could walk away with high-value goods while merchants are left footing the bill when payments are later declined. 

The research team reported their findings to several parties in 2024 and helped develop EMV-compliant fixes for some of the most serious vulnerabilities.  

Tom Chothia, Professor of Cyber Security at the University of Birmingham and co-author, said: 

“The issues we found are not about companies getting it wrong, but about how a system as complex as EMV can develop hidden cracks when new features are added independently. Working together, we can close those gaps and make contactless payments safer for everyone.” 

In the rapidly expanding world of contactless payments, and with modern mobile PoS introducing new operating models, the findings underscore the urgent need to scrutinise add-on payment features, raising concerns about hidden risks in system millions depend on every day. 

[ENDS] 

Notes to editors 

• The full paper can be found here (More is Less: Extra Features in Contactless Payments Break Security. Authors: George Pavlides (Surrey Centre for Cyber Security, University of Surrey); Anna Clee (University of Birmingham); Ioana Boureanu (Surrey Centre for Cyber Security, University of Surrey); Tom Chothia (University of Birmingham) 

---

Article Title

More is Less: Extra Features in Contactless Payments Break Security

New research uncovers how bad bacteria know where to cluster and cause infection

California NanoSystems Institute

FacebookXLinkedInWeChatBlueskyMessageWhatsAppEmail

 

image: 

Researchers used paths of artificial sugar to study how bacteria sense their environment while forming communities. Red and green show two different chemical signals inside the bacteria.

view more 

Credit: Wong Lab/UCLA

The bacterium known as Pseudomonas aeruginosa is an unwelcome visitor in the human body. Serious infections can result when a bunch of these bugs settle together on a surface to form a biofilm — a community of microbes like the slime on spoiled food, but in this case residing inside a person. The grouped-up bacteria attack the lungs of patients with cystic fibrosis and conditions that require the use of ventilators, such as severe COVID-19. Worse still, the World Health Organization lists Pseudomonas among the antibiotic-resistant bacteria presenting the biggest threat to human health.

Now, however, new findings from researchers led by the California NanoSystems Institute at UCLA (CNSI) reveal just how Pseudomonas go from exploring a surface to committing to it and building a community — a key finding that can help pave the way to understanding how to tackle these types of infections 

The new study revealed how Pseudomonas detects and binds to specific sugars left behind by others from its species that arrived earlier. The cell senses these sugar trails using proteins on its body, and then identifies the sugars using hairlike appendages called pili. These pili are normally used to crawl along a surface, but in this case double as mechanical sensors that test the strength of the sugar bonds. All of this information is translated into chemical signals inside the cell that guide the operation of other bacterial machinery, such as the controlled secretion of more sugars to make biofilms. 

Reported in the journal Nature Microbiology, the results may inform applications in human health and industry. For Pseudomonas, the findings could lead to better approaches for undermining the dangerous bugs’ ability to resist drug treatments.

“We can envision building on these results to influence the bacteria’s behavior,” said co-first author William Schmidt, a UCLA doctoral student in bioengineering. “We might be able to turn the cells into more antibiotic-susceptible versions of themselves that are easier to treat.”

Answers for an enigma of microbiology

Sugar trails secreted by bacteria guide the organization of biofilms. Until now, the mechanisms behind how cells detect sugars secreted by one another on a surface have been unclear. What’s more, the cell-membrane proteins that bind to specific sugars lack the necessary structures to allow any signaling, which has been a long-standing puzzle. 

The twist revealed by the study is the role of mechanical sensing by pili as the mediator of this signaling.

“This form of signal generation is new to the field,” said CNSI member Gerard Wong, a corresponding author of the study and a professor of bioengineering in the UCLA Samueli School of Engineering. “People have thought of pili mostly as appendages for moving around. It turns out they also act as sensors that translate force into chemical signals within bacteria, which they use to identify sugars. We’re seeing how sensory information is encoded in bacteria by their appendages for the first time.” 

The sugars released by bacteria serve as both trails for others to follow and building materials for their communities. At later stages of biofilm development, those bacterial sugars help fix the crowd of bugs in place and form the surrounding matrix of the biofilm that protects from challenges that could dislodge it.

 

Wong Lab/UCLA

Pseudomonas visits to sugar trails, L to R: regular cells with their own sugars; regular cells with artificial and natural trails; cells engineered so they can’t make sugars with artificial trails.

To query this system, the researchers fabricated a surface patterned with premade trails of a synthetic sugar, mimicking the bacteria’s naturally produced sugars and especially attractive to Pseudomonas. Using genetic engineering and advanced cell-tracking techniques, the team uncovered the coordinated system combining chemical and mechanical sensing.

What the findings may mean for human health and society

Pseudomonas are much less susceptible to antibiotics when the bacteria are cemented into a biofilm community. They’re far more vulnerable while they are in their free-swimming form. Research following up on the CNSI-led study has the potential to yield solutions for Pseudomonas infections in cystic fibrosis patients and others.

“There’s the possibility of turning back the clock on biofilm formation,” said co-first author Calvin Lee, a UCLA postdoctoral researcher. “Even if you already have a biofilm, you may be able to make the bacteria take it apart by themselves.”

The study may also inform solutions to other problems created by bacterial communities. Biofilms foul up pipes and filters as well as reactors used for chemical reactions in industry. They’re also the first phase in the accumulations of flora and fauna encrusting ships at sea.

“We can ask, ‘Is it possible to make a surface invisible to bacteria?’” said Wong, who is also a professor of chemistry and biochemistry and of microbiology, immunology and molecular genetics at UCLA. “If you get a surface to mimic empty space enough, as far as the bacteria perceive things, it may be possible to solve this multibillion-dollar problem of biofouling.”

The researchers are looking into the wider repertoire of sugars sensed by surface proteins in Pseudomonas, as well as how differently shaped surfaces affect the bacteria’s travels. The scientists also intend to investigate connections between these findings and previous results indicating that cellular signaling persists across generations of bacteria in biofilms.

George O’Toole of Dartmouth College and Matthew Parsek of the University of Washington are co-corresponding authors of the study. Other co-authors are Jonathan Chen, Kirsten Fetah, James Popoli, Yun Su Choi, Thomas Young, and CNSI members Paul S. Weiss and Andrea Kasko, all of UCLA; and Xuhui Zheng of the University of Washington.

The study received funding from the Army Research Office, the National Science Foundation, the National Institutes of Health, the Cystic Fibrosis Foundation and the Life Sciences Research Foundation. The patterned surfaces used in the study were fabricated at the UCLA NanoLab.

---

Journal

Nature Microbiology

Article Title

Pseudomonas aeruginosa senses exopolysaccharide trails using type IV pili and adhesins during biofilm formation

 

Seismology meets botany: Utah geologist applies vibration science to saguaros

Research uses earthquake-monitoring tools to measure how towering cacti resonate in response to wind and ground motion without harm to the plants

University of Utah

FacebookXLinkedInWeChatBlueskyMessageWhatsAppEmail

 

image: 

Saguaro cacti abound in Tucson Mountain Park in Pima County, Arizona. 

view more 

Credit: Jeff Moore, University of Utah

Towering structures must be able to bend and sway when subjected to the forces of wind and ground movement, or they will topple, whether it’s a building, a geological formation, tree—or even a cactus.

Especially if that cactus is a lofty saguaro, or Carnegiea gigantea, those iconic denizens of the American Southwest.

Jeff Moore, a University of Utah geologist specializing in geohazard assessment, grew up in the heart of saguaro country in Arizona. In his most recent research, he repurposed his geophysical toolbox for studying rock formations to analyze the structural properties of saguaro and how they respond to vibrations in their environment.

This detour into botany applied vibration analysis Moore developed for southern Utah’s natural arches, bridges and towers in completely new ways that could help scientists better understand large, water-storing plants without harming them.

“Saguaros have always been in my life,” Moore said. “These cacti have really strong cultural value and that helps motivate a scientific study”. Saguaro are keystone species of the Sonoran Desert. They grow to up to 70 feet tall and hundreds of years old. “There's an ingrained culture of respect for these great cacti.”

His study published last week in the American Journal of Botany introduces a new, noninvasive way to measure how living saguaro respond to transient disturbances, such as wind and ground movements, without defacing these beautiful giants. He put the techniques to work on 11 cacti of varying heights in the Tucson Mountains outside his eponymous hometown.

By analyzing these “ambient vibrations,” Moore was able to determine each cactus’s natural resonance frequencies, or the specific rates at which they sway, and how their flexibility and stiffness change with height, time of day and water content.

Saguaro’s range extends from central Arizona to the Mexican state of Sonora. They grow slowly, with branches appearing after around 60 to 75 years. Their pleated trunks are covered in a thick, pliable skin armored with 2-inch spines.

 

“Saguaros are unique in that their morphology allows them to expand, to take up great quantities of water when it's available during monsoons and withstand periods of drought,” Moore said. In time-lapse video, their stems can be seen swelling as they draw water, which would presumably alter their resonance frequencies.

Moore was visiting family in Arizona when it dawned on him he should apply his vibration-measuring methods to characterize the mechanical properties of the towering cacti. Tucson Mountain Park gave him permission to conduct research at Pima County’s 20,000-acre preserve adjacent to Saguaro National Park. He spent a day rigging a light-weight seismometer to 10 cacti, selecting a representative sample in terms of height. All were single-column saguaro, known as “spears.”

“It was really important to be able to compare them, these so-called spears as they're called when they don't have arms. The smallest was about two feet tall, and the tallest was nearly 25 feet.” The seismometer was gently hung from each stem using a strap at about chest height.

He recorded just 15 minutes of seismic data on each cactus, which showed their resonance frequencies ranged from 0.55 to 3.7 Hz, with damping ratios between 1 and 2%. (Hertz, or Hz, is a standard unit of frequency, defined as the number of times an object completes an oscillation each second. The damping ratio indicates how quickly oscillations taper off following a disturbance.)

The study found each saguaros’ resonance and stiffness varied widely across the height of its column. Generally, they were more stiff near the bottom and more flexible at the top.

“Saguaros vibrate much like a cantilever, but with some interesting differences,” Moore wrote on Bluesky. “Stiffness varies between cacti (taller stems are stiffer), and for a single stem (taller stems have softer tops).”

Rather than water content driving short-term changes in vibration, as Moore had expected, the study identified daily cycles in resonance frequency, likely due to softening of cactus tissue as the day heated up and hardening as it cooled.

The study documented several modes of vibration, painting a complicated picture that reflects each cacti’s internal architecture, supported by wooden ribs that are stronger in the stem’s lower reaches.

“These cacti are vibrating every second of every day. When the wind picks up, they vibrate stronger, when the wind dies down, they vibrate less, but they are constantly in motion,” Moore said. “Each saguaro is unique and moving at a combination of all its natural modes. It's swaying, but the pattern is more complex the closer you look.”

Previously, people would have to cut up a cactus to gain such insights into the plant’s flexibility.

“They would cut segments out and then bend them with weights to measure the flexural stiffness”—a measurement of a structure’s deformability, Moore said. “You destroy the cactus this way, and you can't necessarily do that to pieces of a giant cactus's lower stem. It's too big and too stiff. The new approach is non-destructive, requires a short amount of data, and it provides that same information.”

In other words, his noninvasive vibration technique provides a new framework for understanding the biomechanics and ecological resilience of desert plants. It could help scientists predict how saguaros and other large plants withstand strong winds and monitor their structural health.

 

saguaro modes of resonance [VIDEO]

A saguaro in the Tucson Mountains was fitted with a seismometer to record its movements.

Credit

Jeff Moore, University of Utah

The study, “In situ ambient vibration modal analysis of saguaro cacti (Carnegiea gigantea),” appeared Oct. 21 in the American Journal of Botany. This research was supported by a grant from the National Science Foundation.

---

Journal

American Journal of Botany

DOI

10.1002/ajb2.70116 

Method of Research

Observational study

Subject of Research

Not applicable

Article Title

In situ ambient vibration modal analysis of saguaro cacti (Carnegiea gigante)

Article Publication Date

21-Oct-2025