OK, I just read this… Ten minutes later, I figured out how I could exploit this at scale. The method the researchers used was complex, but only because it was a demo.
The trick for wide-scale fraud involves making a device that to the back-end Visa processing system seems to be a transit turnstile, but to the user looks like (say) a gasoline pump at the gas station or maybe a vending machine that dispenses soda cans.
Details are not hard to work out.
My dad owned barber shops and salesmen would come to him with proposals like "Can I place this soda machine or Xerox copy machine or whatever in your shop? You can have 20% off the top of gross sales." Many small-time shop owners went with it. My dad, no, he simply gave away free soda and coffee and use of the copy machine to customers because he knew that every person taking the free stuff would also hand him $20+ for what he was really trying to sell.
But many people put these machines in their shops via small-time salesmen they don't know, and these machines could be rigged to steal from 0.1% of the customers. That means only 1 in 1,000 people who buy a soda can get ripped off for $5,000 or whatever. Not enough to make it obvious or for the word to spread. The salesmen might not even know the machines are rigged as they get them from an upstream supplier. The supplier, if he is smart, lets the machine run legally for months or years until, say, a few hundred of them are installed. Then one day he slips a switch, and 500 machines start stealing $5,000 a day until the operation is detected and shut down. But by that time, the thief has his $100,000,000 and is gone. The thief does not even have to invest money, as soda can sales fund the cost of the 500 machines.
Yes, this could be done at scale.
