A group of academics from Switzerland have discovered a security bug that can be used to bypass PINs and make large, intact transactions with a Visa card.
This means that if criminals obtain a stolen Visa contactless card, they can use it to pay for products whose price is above the contactless limit and without having to enter the card PIN.
The attack could not be easily detected and academics said it could be considered a mistake by a customer who uses a mobile / digital wallet he has installed on his smartphone to make transactions.
However, in reality, the attacker pays with data obtained from a (stolen) contactless Visa card hidden on it.
How the attack works
According to the research team, a successful attack requires four components: (1 + 2) two smartphones Android, (3) a special Android application developed by the research team and (4) a contactless Visa card.
The Android application is installed on both smartphone, which will act as a card simulator and POS (Point-Of-Sale) emulator.
The phone that mimics a POS device is located near the stolen one card, while the smartphone that acts as a card simulator is used to pay for the goods.
The whole idea behind the attack is: the POS emulator asks the card to make a payment, modify its details transaction and then send the modified data via WiFi on the second smartphone that pays a large amount without having to provide the PIN (o intruder has modified the transaction data so that it is not required).
A second attack was discovered that also affects Mastercard
To detect this bug, the research team said it used a modified version of a tool called Tamarin, which was previously used to detect complex vulnerabilities in the TLS 1.3 [PDF] cryptography protocol and the 5G authentication engine [PDF].
Except for the PIN bypass on contactless Visa cards, the same tool also discovered a second security issue, this time affecting both Mastercard and Visa. The researchers explain:
Our analysis reveals that, in an offline contactless transaction with Visa or an old Mastercard, the card does not validate the ApplicationCryptogram (AC) in the terminal, which is an encrypted receipt generated by the card for the transaction in order to inform that the terminal cannot be verified (only the card issuer can). This allows criminals to trick the terminal into accepting a non-genuine offline transaction. "
Unlike the first mistake, the research team stated that he did not try this second attack on real premises for ethical reasons, as this was a deception for traders.