A group of academics from Switzerland discovered a bug that could be used to bypass PINs in Visa contactless payments.
This means that if fraudsters have a stolen Visa card in their hands, they can use it to pay for expensive products, and above the transaction limit without having to enter the card PIN.
According to the research team, a successful attack requires four elements: (1 + 2) two Android smartphones, (3) a special Android application developed by the research team and (4) a contactless Visa transaction card.
The Android application is installed on both smartphones, which will act as a card simulator and POS (Point-Of-Sale).
The phone that mimics a POS device is located near the stolen card, while the smartphone that acts as a card simulator is used to pay for goods.
The whole idea behind the attack is that the POS emulator asks the card to make a payment and then sends the modified data via WiFi to the second smartphone that makes the payment without having to give a PIN (after the intruder has modified the data). of the transaction to say that no PIN is required).
"Our application does not require root privileges or other hacks on Android and we have used it successfully on Pixel and Huawei devices," said the researchers.
At the technical level, the researchers said the attack was possible due to a design flaw in the EMV standard and the Visa contactless payment protocol.
These issues allow an attacker to change the data involved in a contactless payment, along with the fields that control the transaction details and whether the cardholder has been verified or not.
"The cardholder verification method used in a transaction is neither validated nor encrypted and is not protected from modification," the researchers said.