The vulnerability could
allow criminals to rack up fraudulent charges on the cards without needing to
know the PINs
A team of researchers from
the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has found a
security vulnerability in Visa’s EMV contactless protocol that could allow
attackers to perform PIN bypass attacks and commit credit card fraud.
For context, there is
typically a limit on the amount you can pay for goods or services using a
contactless card. Once the limit is surpassed, the card terminal will request
verification from the cardholder – typing in the PIN.
However, the new research,
entitled ‘The EMV Standard: Break, Fix, Verify’, showed that a criminal who has access to such a credit card could
exploit the flaw for fraudulent purchases without having to input the PIN even
in cases where the amount exceeded the limit.
The academics demonstrated
how the attack can be carried out using two Android phones, a contactless
credit card, and a proof-of-concept Android application that they developed
specifically for this purpose.
“The phone near the payment
terminal is the attacker’s Card emulator device and the phone near the victim’s
card is the attacker’s POS emulator device. The attacker’s devices communicate
with each other over WiFi, and with the terminal and the card over NFC,” the
researchers explained, adding that their app doesn’t need any special root
privileges or Android hacks to work.
“The attack consists in a
modification of a card-sourced data object –the Card Transaction
Qualifiers– before delivering it to the terminal,” reads the description of
the attack, with the modification instructing the terminal that a PIN
verification isn’t needed and that the cardholder was already verified by the
consumer’s device.
The researchers tested their
PIN bypass attack on one of the six EMV contactless protocols (Mastercard,
Visa, American Express, JCB, Discover, UnionPay); however, they theorized that
it could apply to the Discover and UnionPay protocols as well, although those
weren’t tested in practice. EMV, the international protocol standard for
smartcard payment, is used in over 9 billion cards worldwide and as of December
2019 it was used in more than 80% of all card-present transactions globally.
It’s worth mentioning that
the researchers didn’t just test the attack in laboratory conditions but were
able to successfully carry it out in actual stores, using Visa Credit, Visa
Electron, and V Pay cards. To be sure, they used their own cards for the test.
The team also pointed out
that it would be difficult for a cashier to notice that
something was afoot since
it has become a regular occurrence for customers to pay for goods with their
smartphones.
The researchers also
uncovered another vulnerability, which involves offline contactless transactions
carried out by either a Visa or an old Mastercard card. During this attack, the
cybercriminal modifies card-produced data called ‘Transaction Cryptogram’
before it is delivered to the terminal.
However, this data cannot
be verified by the terminal, but only by the card issuer, i.e. the bank. So, by
the time that happens, the crook is long in the wind with the goods in hand.
Due to ethical reasons, the team did not test this attack on real-life
terminals.
The team notified Visa
about its discoveries.