A security loophole makes it possible to bypass the PIN request for a contactless Visa payment. Researchers at ETH Zurich have discovered a vulnerability that allows criminals to make payments with credit cards without knowing their PINs.
A team of researchers from the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has found a security flaw in the EMV protocol for contactless payments from the credit card provider Visa that could allow attackers to circumvent the PIN query and commit credit card fraud.
With contactless payment, there is usually a limit to how much you can pay for goods or services. As soon as it is exceeded, the card terminal asks the cardholder for confirmation via PIN. However, the new study entitled "The EMV Standard: Break, Fix, Verify" shows that criminals can use a credit card to make fraudulent purchases due to a bug without having to enter the PIN and even if the sum exceeds the limit.
Visa payment: Demonstration of the attack
The scientists demonstrated the feasibility of the attack with two Android cell phones, a contactless credit card and an Android app specially developed for this purpose: “The phone near the payment terminal is the attacker's card emulator, and the phone near the Victim's credit card is the attacker's POS emulator. The attacker's devices communicate with each other via WLAN and with the terminal and the card via NFC, ”explained the researchers. No special root permissions or Android hacks are required for the app.
"The attack consists in changing a data object on a card - the" Card Transaction Qualifier "- before it is transmitted to the terminal," says the research report. This change instructs the terminal that no PIN verification is required and that the cardholder has already been verified by the consumer's device.
PIN bypass attack
The researchers tested their PIN bypass attack on one of the six contactless EMV protocols (Mastercard, Visa, American Express, JCB, Discover, UnionPay). However, they suspect that their attack could also work on the Discover and UnionPay protocols, although these have not been verified in practice. EMV, the international standard protocol for smart card payments, is used on over 9 billion cards worldwide and, as of December 2019, is used in more than 80% of all card transactions worldwide.
It is also worth noting that the researchers not only tested the attack in laboratory conditions, but were also able to successfully carry it out in stores with Visa Credit, Visa Electron and V-Pay cards. Of course, they used their own cards for the tests.
Attack is hardly noticed
According to the researchers, it is difficult for cashiers to notice these attacks when making a Visa payment, since customers pay for goods with their smartphones every day. The investigations also uncovered another security vulnerability. In the case of contactless offline transactions with old Visa or Mastercard cards, they could change the data generated by the cards, the so-called "Transaction Cryptogram", before they were transmitted to the terminal.
However, this data cannot be checked by the terminal, but only by the card issuer, i.e. the bank. By then, the criminal will have long since disappeared with his goods. For ethical reasons, this attack was not tested by the research team on real card terminals.
The team has of course informed the Visa company of its discoveries.
Find out more on the WeLiveSecurity blog at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.