A group of researchers from the Swiss ETH Zurich university has discovered a vulnerability that allowed them to bypass PIN codes on contactless cards from Mastercard and Maestro.
Technically the researchers performed a Man-in-the-Middle (MitM) attack between a stolen card and the merchant’s Point-of-Sale (PoS) terminal.
In a real attack scenario, crooks could use a victim’s contactless card to make expensive purchases without knowing the card’s PIN.
“Concretely, the attacker fools the terminal into believing that the card being used is a Visa card and then applies the recent PIN bypass attack that we reported on Visa.” state the researchers. “We have built an Android application and successfully used it to carry out this attack for transactions with both Mastercard debit and credit cards, including a transaction for over 400 USD with a Maestro debit card. Finally, we extend our formal model of the EMV contactless protocol to machine-check fixes to the issues found.”
The attack was implemented using two Android smartphones (supporting NFC and running Android 4.4 KitKat or later) that were connected through a relay channel built using TCP/IP serverclient communication over WiFi. One phone runs an app in POS Emulator mode and the other phone runs the app developed by the researchers in Card Emulator mode. The device running in Card Emulator mode must support Android’s host-based card emulation so that the phone can launch the NFC payment service implemented by our app. The man-in-the-middle functionality runs on the POS Emulator device while the Card Emulator acts as the proxy for the relay channel.
The attack scenario is simple, the attackers place PoS emulator device near the card in order to trick the card into initiating a transaction and capture the transaction details, while the card emulator is used by crooks to feed modified transaction details to a real-life PoS terminal inside a store.
The same team of researchers last year devised a method to bypass PINs on Visa contactless payments and used this technique as part of this new attack, it was used to fools the terminal into believing that the card being used is a Visa instead of a Maestro.
The researchers successfully tested the attack against Visa Credit, Visa Debit, Visa Electron, and V Pay cards complete transactions of an amount above the PIN requirement limit for Swiss banks.
Below is one of the slides prepared by the researchers to show the PIN bypass attack:
The PoS operator of the store could not detect the attack, from his perspective the customer is paying with his mobile payments app. In reality, the crook is using modified transaction details obtained from a stolen card.
Unlike the attack against VISA cards, the new PIN bypass attack tricks the PoS terminal into thinking that the incoming transaction comes from a Visa card instead of Mastercard/Maestro, the boffins modified the card’s legitimate Application Identifier (AID) with Visa’s AID: A0000000031010 to achieve this result.
Then experts used the 2020 Visa attack to make the payment without providing a PIN.
The researchers published a video PoC of the attack:
The researchers successfully tested this attack with Mastercard Credit and Maestro cards, but failed to execute the attack to pay with a Mastercard card in a Discover and a UnionPay transaction, as these two kernels are similar to the Visa kernel.
The happy ending is that Mastercard already addressed the issue early this year, but Visa has yet to fix the PIN bypass bug.
(SecurityAffairs – hacking, PIN bypass)