Hackers Can Bypass Mastercard PIN by Using them as a Visa Card

The cybersecurity researchers have recently detected a threat attack that could easily enable the threat actors to trick a point of sale terminal into compromising with a victim’s Mastercard contactless card while considering it to be a Visa card.

The research has been published by a group of academics from ETH Zurich and reported the threat last September. EMV was prepared after its founders, which are Europay, Mastercard, and Visa; it’s the international protocol standard for in-store smartcard payment. 

EMV was announced to run in over 9 billion credit and debit cards worldwide in the month of December 2019. Although having the standard advertised security, has solved several issues that have been earlier revealed.

Attack Demonstration

The experts have acquired a proof-of-concept Android application to demonstrate the attack. The app that has been developed by the experts has implemented the attacks like man-in-the-middle attacks built on top of a relay attack structure, utilizing two NFC-enabled phones.

Here, the threat actors must have access to the victim’s card, either by stealing it or obtaining it if lost or by accommodating the POS emulator near it, if still in the victim’s possession. 

However, the attacks work by transforming the terminal’s commands and the card’s acknowledgments before remitting them to the identical recipient.

The attack on Visa

According to the experts, the attack on Visa consists of a modification of the Card Transaction Qualifiers, before surrendering it to the terminal. But, the modification directs the terminal in which:-

  • PIN verification is not needed.
  • Cardholder was already tested on the user’s device.

The security researchers have claimed that they have already tested this attack successfully with:- 

  • Visa Credit cards
  • Visa Electron cards
  • Visa Debit cards
  • V Pay cards

The attack on Mastercard

While the attack on Mastercard primarily comprises the substitute of the card’s valid App Identifiers along with the Visa AID A0000000031010 to trick the terminal into stimulating the Visa kernel.

However, the terminal’s authorization application must reach the card-issuing bank, and for this several conditions must be met, and here are the conditions:-

  • The terminal does not diminish offline even if the card number (PAN) and the AIDs designate different card brands.
  • The merchant’s acquirer routes the trade authorization application to a payment network that can process Mastercard cards.

Moreover, the security experts have confirmed that they have already performed this attack successfully with four different cards, and here they are:-

  • Two Mastercard credit cards
  • Two Maestro debit cards

Mastercard Attached Countermeasures

ETH Zurich researchers announced that they were able to bypass PIN verification for all kinds of deals with Mastercard credit and debit cards, that also include two Maestro debit and two Mastercard credit cards, all published by different banks, with one of the transactions exceeding $400.

But, the Mastercard has attached a number of countermeasures, that include mandating financial institutions to combine the AID in the authorization data, not only this but it also allows the card issuers to check the AID against the PAN.

Moreover, all the payment network has now rolled out remittances for other data points present in the authorization request that could be utilized to identify an attack of this kind, and decrease the fraudulent transactions.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago