A group of scientists from the Swiss Higher Technical School of Zurich has discovered a way to bypass PIN codes on Mastercard and Maestro contactless cards. The exploitation of the vulnerability allowed cybercriminals to use stolen Mastercard and Maestro cards to pay for expensive products without having to provide PIN codes for contactless payments.
To carry out a MitM (Man-in-the-Middle) attack, an attacker will need a stolen card, two Android smartphones, and a custom Android application that can tamper with the fields of the transaction. The application must be installed on both smartphones, which will act as emulators. One smartphone will be placed next to the stolen card and will act as a PoS terminal emulator, tricking the card into initiating a transaction and sharing its data, while the second smartphone will act as a card emulator and be used by the fraudster to transfer modified transaction data into a real PoS. -terminal inside the store.
From the point of view of the PoS terminal operator, the attack looks like the customer is paying with their mobile payment app, but in reality, the fraudster is sending modified transaction data from the stolen card.
The research team used this attack pattern last year when they found a way to bypass the PIN for Visa contactless payments. Experts have successfully tested the attack with Visa Credit, Visa Debit, Visa Electron and V Pay cards.
The ETH Zurich team then continued their research and focused on bypassing PINs on other types of cards that did not use Visa’s contactless payment protocol. As it turned out, a similar problem also affected contactless payments with Mastercard and Maestro cards.
In this case, the difference lies in the fact that the PoS terminal is not informed about the successful verification of the PIN code. Instead, the researchers forced the PoS terminal to accept an incoming transaction, ostensibly from a Visa card, not Mastercard or Maestro.
Researchers successfully tested the attack with Mastercard Credit and Maestro cards, executing transactions of up to 400 Swiss francs ($ 439) during the experiment.
Mastercard released fixes for the issue earlier this year, but Visa doesn’t seem to have fixed the vulnerability yet.
Catch up on more articles here
Follow us on Twitter here