- Oct 1, 2019
The vulnerability could allow criminals to rack up fraudulent charges on the cards without needing to know the PINs
A team of researchers from the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has found a security vulnerability in Visa’s EMV contactless protocol that could allow attackers to perform PIN bypass attacks and commit credit card fraud.
For context, there is typically a limit on the amount you can pay for goods or services using a contactless card. Once the limit is surpassed, the card terminal will request verification from the cardholder – typing in the PIN.
However, the new research, entitled ‘The EMV Standard: Break, Fix, Verify’, showed that a criminal who can get their hands on a credit card could exploit the flaw for fraudulent purchases without having to input the PIN even in cases where the amount exceeded the limit.
The academics demonstrated how the attack can be carried out using two Android phones, a contactless credit card, and a proof-of-concept Android application that they especially developed for this purpose.
“The phone near the payment terminal is the attacker’s Card emulator device and the phone near the victim’s card is the attacker’s POS emulator device. The attacker’s devices communicate with each other over WiFi, and with the terminal and the card over NFC,” the researchers explained, adding that their app doesn’t need any special root privileges or Android hacks to work.