VISA Cards vulnerable to M-I-M even with pin

EMV protocol is vulnerable to a man-in-the-middle attacks.
All VISA credit cards are affected by this Vulnerability. VISA has to issue update for POS terminals. A bug in the communication protocols lets attackers mount a man-in-the-middle attack without entering the PIN code.

EMV is the protocol used by all the world’s major banks and financial institutions. Europay, Mastercard and Visa developed the standard, and it’s been around for more than 20 years. It stands to reason that EMV is one of the most scrutinized communication protocols.

The most important reason for the widespread adoption of the EMV protocol has to do “liability shift,” a procedure that ensures that as long as the customer approves the transaction with a PIN or signature, the financial institution is not liable.

An application named Tamarin, developed explicitly to probe the security of communication protocols. They created a working model that covers all the roles in a regular EMV session: the bank, the card and the terminal.

Using our model, researchers identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification.

“We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device,”.

Criminals can use a stolen VISA card and pay for goods without access to the PIN, making the PIN completely worthless. A real-world scenario tested the Visa Credit, Visa Electron, and VPay cards, and it was successful. Of course, the attack used a virtual wallet instead of a card, as the terminal can’t distinguish between a real credit card and a smartphone.

“The card does not authenticate to the terminal the Application Cryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can),” says the researchers. “This enables criminals to trick the terminal into accepting an unauthentic offline transaction.”

The only good news delivered by the researchers is that the fix doesn’t require an update for the EMV standard, only updates for the terminal. Given that there are about 161 million POS terminals in the entire world, the updating process will be a long one

Credit Card Skimmers targetting indian customer

Indian Computer Emergency Response Team (CERT-In) on Saturday issued a public warning about a credit card skimming campaign spread through sports, health and e-commerce websites.

In an official post, CERT-In explains attackers are targeting websites hosted on Microsoft’s IIS server running with ASP.NET web application framework

The problem lies with version 4.0.30319 of ASP.NET which is no longer officially supported by Microsoft and contains multiple vulnerabilities which makes it easier for attackers to exploit them.

CERT-In has advised websites using ASP.NET web framework and IIS web server to use the latest version and conduct security audits of web application, web server and database server, in addition to checking web server directories regularly for any malicious web shell files and remove them before they can be exploited.

CERT-In refers to a recent Malwarebytes Labs report, which found a known vulnerability (CVE-2017-9248) for ASP.NET that has been exploited recently to steal credit card credentials.

Researchers at the cybersecurity firm found over a dozen websites which have been compromised with malicious code injections into one of their legitimate JavaScript libraries.

The skimmer codes injected into the JavaScript libraries are designed to steal credit card numbers as well as passwords.

Due to covid-19 online transactions and payments have increased considerably. This has widened the attack surface for hackers. While CERT-IN’s warning was specific to a few websites that were using the outdated web server framework, in another recent instance attackers have been found to be targeting mobile apps to steal card details.

It uses overlays (fake window) with keylogger functionality on top of a legitimate app prompting users to enter card details to get access into the app. As the users enter the card details the keylogger captures them to forward to attackers.