EMV protocol is vulnerable to a man-in-the-middle attacks.
All VISA credit cards are affected by this Vulnerability. VISA has to issue update for POS terminals. A bug in the communication protocols lets attackers mount a man-in-the-middle attack without entering the PIN code.
EMV is the protocol used by all the world’s major banks and financial institutions. Europay, Mastercard and Visa developed the standard, and it’s been around for more than 20 years. It stands to reason that EMV is one of the most scrutinized communication protocols.
The most important reason for the widespread adoption of the EMV protocol has to do “liability shift,” a procedure that ensures that as long as the customer approves the transaction with a PIN or signature, the financial institution is not liable.
An application named Tamarin, developed explicitly to probe the security of communication protocols. They created a working model that covers all the roles in a regular EMV session: the bank, the card and the terminal.
Using our model, researchers identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification.
“We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device,”.
Criminals can use a stolen VISA card and pay for goods without access to the PIN, making the PIN completely worthless. A real-world scenario tested the Visa Credit, Visa Electron, and VPay cards, and it was successful. Of course, the attack used a virtual wallet instead of a card, as the terminal can’t distinguish between a real credit card and a smartphone.
“The card does not authenticate to the terminal the Application Cryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can),” says the researchers. “This enables criminals to trick the terminal into accepting an unauthentic offline transaction.”
The only good news delivered by the researchers is that the fix doesn’t require an update for the EMV standard, only updates for the terminal. Given that there are about 161 million POS terminals in the entire world, the updating process will be a long one