A team of researchers from the Swiss Federal Institute of Technology in Zurich (ETH Zurich) has found a security vulnerability in Visa’s EMV contactless protocol that could allow attackers to perform PIN bypass attacks and commit credit card fraud.
For context, there is typically a limit on the amount you can pay for goods or services using a contactless card. Once the limit is surpassed, the card terminal will request verification from the cardholder – typing in the PIN.
However, the new research, entitled ‘The EMV Standard: Break, Fix, Verify’, showed that a criminal who has access to such a credit card could exploit the flaw for fraudulent purchases without having to input the PIN even in cases where the amount exceeded the limit.
The academics demonstrated how the attack can be carried out using two Android phones, a contactless credit card, and a proof-of-concept Android application that they developed specifically for this purpose.
“The phone near the payment terminal is the attacker’s Card emulator device and the phone near the victim’s card is the attacker’s POS emulator device. The attacker’s devices communicate with each other over WiFi, and with the terminal and the card over NFC,” the researchers explained, adding that their app doesn’t need any special root privileges or Android hacks to work.
“The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal,” reads the description of the attack, with the modification instructing the terminal that a PIN verification isn’t needed and that the cardholder was already verified by the consumer’s device.
The researchers tested their PIN bypass attack on one of the six EMV contactless protocols (Mastercard, Visa, American Express, JCB, Discover, UnionPay); however, they theorized that it could apply to the Discover and UnionPay protocols as well, although those weren’t tested in practice. EMV, the international protocol standard for smartcard payment, is used in over 9 billion cards worldwide and as of December 2019 it was used in more than 80% of all card-present transactions globally.
It’s worth mentioning that the researchers didn’t just test the attack in laboratory conditions but were able to successfully carry it out in actual stores, using Visa Credit, Visa Electron, and V Pay cards. To be sure, they used their own cards for the test.
The team also pointed out that it would be difficult for a cashier to notice that something was afoot since it has become a regular occurrence for customers to pay for goods with their smartphones.
The researchers also uncovered another vulnerability, which involves offline contactless transactions carried out by either a Visa or an old Mastercard card. During this attack, the cybercriminal modifies card-produced data called ‘Transaction Cryptogram’ before it is delivered to the terminal.
However, this data cannot be verified by the terminal, but only by the card issuer, i.e. the bank. So, by the time that happens, the crook is long in the wind with the goods in hand. Due to ethical reasons, the team did not test this attack on real-life terminals.
The team notified Visa about its discoveries.