A team of scientists has discovered a way to bypass PIN codes on contactless cards from Mastercard and Maestro. This would have created havoc by cybercriminals to stole and pay for expensive products

Attack Structure

This attack is extremely stealthy and could be easily deployed in a real-world scenario if new bugs in contactless payment protocols are discovered. For an attacker to interpose itself between the stolen card and a PoS terminal, would normally call a Man-in-the-Middle (MitM) attack vector.

To achieve this, an attacker would require:

  • a stolen card
  • two Android smartphones
  • a custom-made Android app

The app is installed on both smartphones, which will act as emulators. One smartphone will be placed near the stolen card that act as a PoS emulator, tricking the card into initiating a transaction and sharing its details, while the second smartphone will act as a card emulator and be used by a crook to feed modified transaction details to a real-life PoS terminal inside a store. From the vendor it would create a scene that customer is doing a normal payment.

The initial Visa PIN bypass (2020)

In September 2020 research paper titled “The EMV Standard: Break, Fix, Verify,” allowed researchers to intercept Visa contactless payment details and then modify the transaction details to tell a real-life PoS terminal that the PIN and the card owner’s identity had already been verified and confirmed on the device, so the PoS didn’t need to perform these checks.

Researchers said they successfully tested it with Visa Credit, Visa Debit, Visa Electron, and V Pay cards in the real world to complete transactions of 200 Swiss francs, above the PIN requirement limit for Swiss banks.

Mastercard and Maestro PIN bypass (2021)

The research team said they identified a similar issue with contactless payments from Mastercard and Maestro cards.The difference in this attack is that instead of telling the PoS terminal that the PIN had already been verified, the researchers are tricking the PoS terminal into thinking that the incoming transaction comes from a Visa card instead of Mastercard/Maestro by modifying the card’s legitimate Application Identifier (AID) with Visa’s AID: A0000000031010.

This activates the PoS terminal’s Visa-specific kernel, which then proceeds to contact the issuing bank to verify the card. At this point, the attacker performs the older Visa attack from last year and pays for a product without providing a PIN.

The researchers said they successfully tested this attack with Mastercard Credit and Maestro cards, performing transactions of up to 400 Swiss francs during their research.

Mastercard rolled out fixes to its network earlier this year, but Visa appears to have not addressed this issue.The research team said they would not be releasing their Android app that facilitates these attacks in order to prevent widespread abuse of this technique and their research.

Soure : The Record