Wednesday, January 20, 07:12
Home security Academics find fault with Visa contactless card

Academics find fault with Visa contactless card

A group of academics from Switzerland have discovered a security bug that can be used to bypass PINs and make large, intact transactions with a Visa card.

This means that if criminals obtain a stolen Visa contactless card, they can use it to pay for products whose price is above the contactless limit and without having to enter the card PIN.

The attack could not be easily detected and academics said it could be considered a mistake by a customer who uses a mobile / digital wallet he has installed on his smartphone to make transactions.

However, in reality, the attacker pays with data obtained from a (stolen) contactless Visa card hidden on it.


How the attack works

According to the research team, a successful attack requires four components: (1 + 2) two smartphones Android, (3) a special Android application developed by the research team and (4) a contactless Visa card.

The Android application is installed on both smartphone, which will act as a card simulator and POS (Point-Of-Sale) emulator.

The phone that mimics a POS device is located near the stolen one card, while the smartphone that acts as a card simulator is used to pay for the goods.

The whole idea behind the attack is: the POS emulator asks the card to make a payment, modify its details transaction and then send the modified data via WiFi on the second smartphone that pays a large amount without having to provide the PIN (o intruder has modified the transaction data so that it is not required).

"Our application does not require root privileges on Android and we have used it successfully on devices pixel and Huawei", Said the researchers.

A second attack was discovered that also affects Mastercard

To detect this bug, the research team said it used a modified version of a tool called Tamarin, which was previously used to detect complex vulnerabilities in the TLS 1.3 [PDF] cryptography protocol and the 5G authentication engine [PDF].

Except for the PIN bypass on contactless Visa cards, the same tool also discovered a second security issue, this time affecting both Mastercard and Visa. The researchers explain:

Our analysis reveals that, in an offline contactless transaction with Visa or an old Mastercard, the card does not validate the ApplicationCryptogram (AC) in the terminal, which is an encrypted receipt generated by the card for the transaction in order to inform that the terminal cannot be verified (only the card issuer can). This allows criminals to trick the terminal into accepting a non-genuine offline transaction. "

Unlike the first mistake, the research team stated that he did not try this second attack on real premises for ethical reasons, as this was a deception for traders.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.



The creator of PUBG is planning an IPO worth $ 27,2 billion! Ο δημιουργός του PUBG, Kim Chang-han, σχεδιάζει IPO (Αρχική Δημόσια Προσφορά ή εισαγωγή στο χρηματιστήριο) η...

Slack: How to turn off automatic conversion to Emoji

Emoji are everywhere now. In many applications - such as Slack - you can not type a simple emoticon based on ...

Malware FreakOut: Infects "Linux hosts" that run vulnerable software

An active malicious campaign is currently targeting critical Linux devices running software. Its purpose is to infect ...

Facebook Messenger vs WhatsApp: Which is worse for privacy?

In recent days, WhatsApp has been at the center of discussions, due to issues that have arisen regarding the privacy of ...

Apple sued! They want to remove Telegram from the App Store

Although Telegram has become very popular in the world in recent days, it also receives a lot of negative reviews. A former ambassador of ...

VLC for macOS has been updated with full support for M1 Macs

VLC is one of the most popular media players and the macOS version is currently receiving a major update with full ...

Google Maps adds precise details to 4 city roadmaps

The Google Maps app received an update in August last year, which added more color to the physical maps to ...

Smartwatches may detect COVID-19 symptoms

Smartwatches and fitness wearables can play a valuable role in the early detection of COVID-19, according to some recent studies. Researchers from ...

The incidence of sextortion increased significantly during the pandemic period

With the outbreak of the COVID-19 pandemic, countries around the world have entered a lockdown regime, in an effort to ...

SpaceX launches the first Starlink satellite for 1

SpaceX will launch 60 satellites from the Kennedy Space Center in Florida on Wednesday. This will be the first launch of ...