The cybersecurity researchers at the Swiss Higher Technical School of Zurich have recently identified a critical vulnerability that allows any threat actor to bypass PIN codes on contactless cards from Mastercard and Maestro.
The most interesting and impactful thing is that on successful exploitation of this security flaw, a threat actor can easily abuse the stolen Mastercard and Maestro cards for contactless payments without having to provide any PIN codes.
Here, to execute a Man-in-the-Middle attack an attacker need the following things:-
To make the apps work as emulators, the attacker has to keep installed applications on both Android smartphones. Here, one Android device will act as a PoS terminal emulator, as it will be placed next to the stolen card.
This whole process will trick the card into instating a transaction and sharing its data. While the second Android device will work as a card emulator, which will allow the attacker to transfer the modified transaction data into a real PoS terminal.
After detecting the attack, the experts affirmed that this attack is very isolated and could be readily expanded in a real-world situation whenever any new bugs in contactless payment protocols are identified.
However, in this attack, the threat actor generally introduces itself within the stolen card and a vendor’s Point-of-Sale (PoS) terminal, and that is being called a Man/Person/Meddler-in-the-Middle (MitM) situation.
The attack was detected by the ETH Zurich team, and after detecting it they continued the research to find all the initial details regarding this particular attack.
However, they specifically concentrated on bypassing PINs on other types of cards that were wasn’t use in the Visa contactless payments protocol.
After continuing the investigation, the specialists stated that. they successfully tested this attack with Mastercard Credit cards and Maestro cards, while performing transactions of up to 400 Swiss francs throughout their examination.
The security team has used this particular attack when they detected a proper way to circumvent PINs on Visa contactless payments. Back then they have given a title to the research is “The EMV Standard: Break, Fix, Verify.”
It particularly enabled the analysts to intercept Visa contactless payment specifications and then transform the transaction aspects to show a real-life PoS terminal that the PIN and the card purchaser identification had already been tested and confirmed on the device, that’s why after the verification, the PoS doest require to perform all those checks.
But they will not reveal their Android app that facilitates all these attacks, as they don’t want to spread this technique because they want to stop the widespread abuse of this technique and their research.
Follow us on Linkedin, Twitter, Facebook for daily Cybersecurity News & Updates
In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a leading…
There is a wide variety of solutions one can use to investigate phishing attacks. Yet,…
Tor Browser 13.0.14 has been released, bringing essential security updates to the popular privacy-focused web…
The cybersecurity community is sounding the alarm about the growing risk of a "mobile NotPetya"…
Attackers tried to take over the JavaScript project from OpenJS Foundation, which is home to JavaScript…
Multiple Cloud Service providers like Google Cloud, AWS, and Azure have been discovered with a…