Security flaw allows bypassing PIN verification on Visa contactless payments

CyberPanther

Level 6
Thread author
Verified
Well-known
Oct 1, 2019
286
The vulnerability could allow criminals to rack up fraudulent charges on the cards without needing to know the PINs

A team of researchers from the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has found a security vulnerability in Visa’s EMV contactless protocol that could allow attackers to perform PIN bypass attacks and commit credit card fraud.

For context, there is typically a limit on the amount you can pay for goods or services using a contactless card. Once the limit is surpassed, the card terminal will request verification from the cardholder – typing in the PIN.

However, the new research, entitled ‘The EMV Standard: Break, Fix, Verify’, showed that a criminal who can get their hands on a credit card could exploit the flaw for fraudulent purchases without having to input the PIN even in cases where the amount exceeded the limit.

The academics demonstrated how the attack can be carried out using two Android phones, a contactless credit card, and a proof-of-concept Android application that they especially developed for this purpose.

“The phone near the payment terminal is the attacker’s Card emulator device and the phone near the victim’s card is the attacker’s POS emulator device. The attacker’s devices communicate with each other over WiFi, and with the terminal and the card over NFC,” the researchers explained, adding that their app doesn’t need any special root privileges or Android hacks to work.
 

TairikuOkami

Level 31
Verified
Top poster
Content Creator
Well-known
May 13, 2017
2,080
So the defense against this attack is to not to loose a credit card or to block it as soon as it gets stolen.
One more reason to pay by phone and leave cards at home. By the way, the limit is not such an issue now.