Security researchers report a new Authentication Flaw in Visa Card Contactless Payments
Security has been found in Visa payment cards, allowing attackers to perform a new kind of attack categorized as a PIN bypass. This allows them to manipulate payment terminals into accepting card transactions from unauthentic cards.
A team of researchers from the Swiss Federal Institute of Technology in Zurich (ETH Zurich) was the first to detect this security vulnerability that could allow attackers to perform PIN bypass attacks and commit credit card fraud.
Typically, there is a limit on the amount you can pay for goods and services using contactless card. When such limit is surpassed, the card terminate will request verification from the cardholder- typing in the PIN. But, what the analysts showed, the criminals who access such credit card can exploit the flaw and make purchase without having the PIN when the amount exceeds the limit.
In order for attack to happen, the crooks require the payment card details. They can do this by stealing or by acquiring through various means. The alternative is to use popular NFC skimming option to scan nearby cards and copying their details.
In order to demonstrate how the attack could be done, the researchers have created a proof-of-concept application especially for the purpose. It is used to modify the behavior of payment terminals designed to alter the card’s responses before they are delivered to the device.
Once the attack is made, the crooks can complete the purchases using victims’ card and can overcome the PIN less limit using modification of a value called Card Transaction Qualifiers. They abuse the connection using the remote protocol to make payment terminals overcome the PIN verification and trust the cardholder’s identity has already been verified.
The researchers tested the PIN bypass attack on one of the six EMV contactless protocols. However, they theorized that this could apply to Discover and Union Pay Protocols as well.
The researchers also uncovered another vulnerability based on offline contactless transactions carried out by Visa or old Mastercard. In this attack, crooks modify card-produced data called Transaction cryptogram before delivered to the terminal. Since in this case the data are verified by the card issuer, i.e., bank, the crooks is long in the wind with the goods in hand.