Security flaw allows bypassing PIN verification on Visa contactless payments

CyberPanther

Level 6
Thread author
Verified
Well-known
Oct 1, 2019
295
The vulnerability could allow criminals to rack up fraudulent charges on the cards without needing to know the PINs

A team of researchers from the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has found a security vulnerability in Visa’s EMV contactless protocol that could allow attackers to perform PIN bypass attacks and commit credit card fraud.

For context, there is typically a limit on the amount you can pay for goods or services using a contactless card. Once the limit is surpassed, the card terminal will request verification from the cardholder – typing in the PIN.

However, the new research, entitled ‘The EMV Standard: Break, Fix, Verify’, showed that a criminal who can get their hands on a credit card could exploit the flaw for fraudulent purchases without having to input the PIN even in cases where the amount exceeded the limit.

The academics demonstrated how the attack can be carried out using two Android phones, a contactless credit card, and a proof-of-concept Android application that they especially developed for this purpose.

“The phone near the payment terminal is the attacker’s Card emulator device and the phone near the victim’s card is the attacker’s POS emulator device. The attacker’s devices communicate with each other over WiFi, and with the terminal and the card over NFC,” the researchers explained, adding that their app doesn’t need any special root privileges or Android hacks to work.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
So the defense against this attack is to not to loose a credit card or to block it as soon as it gets stolen.
One more reason to pay by phone and leave cards at home. By the way, the limit is not such an issue now.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top