At the technical level, the researchers said the attack is possible because of what they describe as design flaws in the EMV standard and in Visa's contactless protocol.These issues allow an attacker to alter data involved in a contactless transaction, including the fields that control transaction details and if the card owner has been verified.

"The cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification," researchers said.

"The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal," they added.

"The modification instructs the terminal that: (1) PIN verification is not required, and (2) the cardholder was verified on the consumer's device (e.g., a smartphone)."