A team of researchers at ETH Zurich has discovered a novel way to trick payment terminals into treating Mastercards as VISA cards and to bypass the PIN for any transaction amount. Although the EMV (Europay, Mastercard, Visa) standard/international protocol is generally secure, it has some logical flaws that are hard to spot due to the complexity and size.
The researchers discovered two of these flaws and developed an exploitation model that can lead to two different attacks - one against each card type.
The attack on Visa allows criminals to purchase something over the PIN-less limit without knowing the 4-digit code. This requires a modification of the Card Transaction Qualifiers (CTQ), which instructs the terminal that the PIN verification isn’t required and also that the cardholder is already verified on the deployed device (smartphone). This way, an attacker could buy anything contactless, even if it’s way above the threshold that would require entering the PIN.
The Mastercard attack requires the replacement of the card’s real Application Identifiers (AIDs) with the Visa AID. This deceives the payment terminal into thinking that it’s dealing with a Visa card, even if the PAN isn’t matching the branding.
By chaining the first exploit onto this case as well, the attacker could bypass the PIN again regardless of the transaction amount. The transaction authorization request is routed to the payment network that can process Mastercard cards, even though the terminal activates its Visa kernel, so it all works like a charm.
The cards affected by this type of attack include Visa Credit, Visa Debit, Visa Electron, V Pay, Mastercard credit, and Maestro debit cards. It is possible that other EMV cards may be affected, but there’s no proof yet. The researchers disclosed their findings to Visa and Mastercard, and the latter has already implemented defense mechanisms against the exploit.
As a consumer, you can protect yourself by physically shielding your card, like keeping it inside a wallet that stops RFID waves and makes contactless transactions impossible. Also, if you lose the card, or if you see transactions that you don’t recognize, you should contact your bank immediately and have it canceled. This attack would make it possible for someone who doesn’t know the PIN to empty your bank account in one go.