A group of academics from Switzerland discovered a bug that could be used to bypass PINs in Visa contactless payments.
This means that if fraudsters get their hands on a stolen Visa card, they can use it to pay for expensive products, and over the transaction limit without having to enter the code Card PIN.
According to the research team, a successful attack needs four elements: (1 + 2) two smartphones Android, (3) a dedicated Android application developed by the research team, and (4) a Visa contactless transaction card.
The Android application is installed on both smartphones, which will act as a card simulator and POS (Point-Of-Sale).
The phone that mimics a POS device is located near the stolen card, while the smartphone that acts as a card simulator is used to pay for goods.
The whole idea behind the attack is that the POS emulator asks the card to make a payment and then sends the modified data via WiFi to the second smartphone that makes the payment without having to give a PIN (after the intruder has modified the data). of the transaction to say that no PIN is required).
"Η εφαρμογή μας δεν απαιτεί δικαιώματα root ή άλλα hacks στο Android και την έχουμε χρησιμοποιήσει με επιτυχία σε Appliances Pixel και Huawei", ανέφεραν οι ερευνητές.
https://www.youtube.com/watch?v=JyUsMLxCCt8
At the technical level, the researchers said the attack was possible due to a design flaw in the EMV standard and the Visa contactless payment protocol.
These issues allow an attacker to change the data involved in a contactless payment, along with the fields that controln the details of the transaction and whether the cardholder has been verified or not.
"Η μέθοδος επαλήθευσης του κατόχου της κάρτας που χρησιμοποιείται σε μια συναλλαγή, δεν είναι ούτε επικυρωμένη ούτε κρυπτογραφημένη και δεν προστατεύεται από τροποποιήσεις", ανέφεραν οι ερευνητές.
More: https://arxiv.org/pdf/2006.08249.pdf
