The cybersecurity researchers at the Swiss Higher Technical School of Zurich have recently identified a critical vulnerability that allows any threat actor to bypass PIN codes on contactless cards from Mastercard and Maestro.
The most interesting and impactful thing is that on successful exploitation of this security flaw, a threat actor can easily abuse the stolen Mastercard and Maestro cards for contactless payments without having to provide any PIN codes.
Here, to execute a Man-in-the-Middle attack an attacker need the following things:-
- Two Android smartphones
- A custom Android application
- A stolen card
To make the apps work as emulators, the attacker has to keep installed applications on both Android smartphones. Here, one Android device will act as a PoS terminal emulator, as it will be placed next to the stolen card.
This whole process will trick the card into instating a transaction and sharing its data. While the second Android device will work as a card emulator, which will allow the attacker to transfer the modified transaction data into a real PoS terminal.
The Attack Basics
After detecting the attack, the experts affirmed that this attack is very isolated and could be readily expanded in a real-world situation whenever any new bugs in contactless payment protocols are identified.
However, in this attack, the threat actor generally introduces itself within the stolen card and a vendor’s Point-of-Sale (PoS) terminal, and that is being called a Man/Person/Meddler-in-the-Middle (MitM) situation.
Mastercard and Maestro PIN bypass (2021)
The attack was detected by the ETH Zurich team, and after detecting it they continued the research to find all the initial details regarding this particular attack.
However, they specifically concentrated on bypassing PINs on other types of cards that were wasn’t use in the Visa contactless payments protocol.
After continuing the investigation, the specialists stated that. they successfully tested this attack with Mastercard Credit cards and Maestro cards, while performing transactions of up to 400 Swiss francs throughout their examination.
Initial Visa PIN bypass (2020)
The security team has used this particular attack when they detected a proper way to circumvent PINs on Visa contactless payments. Back then they have given a title to the research is “The EMV Standard: Break, Fix, Verify.”
It particularly enabled the analysts to intercept Visa contactless payment specifications and then transform the transaction aspects to show a real-life PoS terminal that the PIN and the card purchaser identification had already been tested and confirmed on the device, that’s why after the verification, the PoS doest require to perform all those checks.
But they will not reveal their Android app that facilitates all these attacks, as they don’t want to spread this technique because they want to stop the widespread abuse of this technique and their research.