Hackers Bypass Mastercard PIN

The cybersecurity researchers have recently detected a threat attack that could easily enable the threat actors to trick a point of sale terminal into compromising with a victim’s Mastercard contactless card while considering it to be a Visa card.

The research has been published by a group of academics from ETH Zurich and reported the threat last September. EMV was prepared after its founders, which are Europay, Mastercard, and Visa; it’s the international protocol standard for in-store smartcard payment. 

EMV was announced to run in over 9 billion credit and debit cards worldwide in the month of December 2019. Although having the standard advertised security, has solved several issues that have been earlier revealed.

Attack Demonstration 

The experts have acquired a proof-of-concept Android application to demonstrate the attack. The app that has been developed by the experts has implemented the attacks like man-in-the-middle attacks built on top of a relay attack structure, utilizing two NFC-enabled phones.

Here, the threat actors must have access to the victim’s card, either by stealing it or obtaining it if lost or by accommodating the POS emulator near it, if still in the victim’s possession. 

However, the attacks work by transforming the terminal’s commands and the card’s acknowledgments before remitting them to the identical recipient.

The attack on Visa

According to the experts, the attack on Visa consists of a modification of the Card Transaction Qualifiers, before surrendering it to the terminal. But, the modification directs the terminal in which:-

  • PIN verification is not needed.
  • Cardholder was already tested on the user’s device.

The security researchers have claimed that they have already tested this attack successfully with:- 

  • Visa Credit cards
  • Visa Electron cards
  • Visa Debit cards
  • V Pay cards

The attack on Mastercard

While the attack on Mastercard primarily comprises the substitute of the card’s valid App Identifiers along with the Visa AID A0000000031010 to trick the terminal into stimulating the Visa kernel.

However, the terminal’s authorization application must reach the card-issuing bank, and for this several conditions must be met, and here are the conditions:-

  • The terminal does not diminish offline even if the card number (PAN) and the AIDs designate different card brands.
  • The merchant’s acquirer routes the trade authorization application to a payment network that can process Mastercard cards.

Moreover, the security experts have confirmed that they have already performed this attack successfully with four different cards, and here they are:-

  • Two Mastercard credit cards
  • Two Maestro debit cards

Mastercard Attached Countermeasures

ETH Zurich researchers announced that they were able to bypass PIN verification for all kinds of deals with Mastercard credit and debit cards, that also include two Maestro debit and two Mastercard credit cards, all published by different banks, with one of the transactions exceeding $400.

But, the Mastercard has attached a number of countermeasures, that include mandating financial institutions to combine the AID in the authorization data, not only this but it also allows the card issuers to check the AID against the PAN.

Moreover, all the payment network has now rolled out remittances for other data points present in the authorization request that could be utilized to identify an attack of this kind, and decrease the fraudulent transactions.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.