More is Less: Extra Features in Contactless Payments Break Security

Tom Chothia and George Pavlides discuss how proprietary, uncoordinated features built on top of the core EMV specification by companies like Apple, Google, Square, Visa, and Mastercard lead to significant security vulnerabilities. They detail how these "black box" additions create subtle interactions and mismatches, enabling attacks that bypass authentication, allow high-value fraudulent offline transactions, and leave merchants vulnerable to significant financial loss.