Although many people have already switched to paying with their mobile phones, there are still a huge number that continue to use the classic credit cards, which have been renewed, going from the archaic magnetic stripe to the more comfortable chip or ‘contactless payment’ system . But if you have a VISA card of this type be careful, because the contactless payment protocol of Visa bank cards contains a security flaw that allows criminals to carry out payments through this system without using the PIN code for amounts greater than the limit settled down.
The VISA contactless security flaw
A team of researchers at the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has discovered a vulnerability in the EMV protocol for making Visa contactless payments that could allow attackers to carry out PIN bypass attacks and commit credit card fraud.
For context, there is usually a limit to the amount that can be paid using a contactless card that allows contactless payment. Once the limit is exceeded, the card terminal will request verification from the cardholder, who must enter a PIN.
However, the new research, entitled ‘The EMV Standard: Break, Fix, Verify’, shows that a criminal holding a credit card “could exploit the vulnerability to make fraudulent purchases without having to enter the PIN even in cases in which the amount exceeded the limit ”.
Vulnerability in contactless
The team of cyber experts demonstrated how the attack can be carried out using two Android phones, a credit card that allows contactless payment, and a proof-of-concept application for Android that they developed especially for this purpose.
“The phone near the payment terminal is the attacker’s card emulator device, and the phone near the victim’s card is the attacker’s POS emulator device. The attacker’s devices communicate with each other via Wi-Fi, and with the terminal and the card via NFC ”, they explain from ETH Zurich, in a post on the ESET security blog.
Your application does not need any root privilege or special hack for Android to work, and the attack consists of “a modification of the CTQ (Card Transaction Qualifiers), which is a card data object, before delivering it to the terminal”. The modification tells the terminal that a PIN verification is not required and that the cardholder had already been verified on the consumer’s device.
The researchers tested their PIN bypass attack on one of six EMV protocols for contactless payment – each protocol corresponds to a different brand, such as Mastercard, Visa, American Express, JCB, Discover, UnionPay. In this case, the PIN omission test was performed in the VISA one, although it could also be applied to the Discover and UnionPay protocols – which were not used in the test.