2 min read

Man-in-the-Middle Attack Makes PINs Useless for VISA Cards

Silviu STAHIE

August 28, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Man-in-the-Middle Attack Makes PINs Useless for VISA Cards
  • EMV protocol is vulnerable to a man-in-the-middle attack
  • All VISA credit cards are affected
  • VISA has to issue update for POS terminals

Swiss security researchers have discovered a way to bypass the PIN authentication for Visa contactless transactions. A bug in the communication protocols lets attackers mount a man-in-the-middle attack without entering the PIN code.

EMV is the protocol used by all the world”s major banks and financial institutions. Europay, Mastercard and Visa developed the standard, and it”s been around for more than 20 years. It stands to reason that EMV is one of the most scrutinized communication protocols, but the Swiss research shows that any software or hardware can have vulnerabilities.

The most important reason for the widespread adoption of the EMV protocol has to do “liability shift,” a procedure that ensures that as long as the customer approves the transaction with a PIN or signature, the financial institution is not liable.

The researchers used an application named Tamarin, developed explicitly to probe the security of communication protocols. They created a working model that covers all the roles in a regular EMV session: the bank, the card and the terminal.

“Using our model, we identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification,” say the researchers in their paper.

“We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer”s device,” they continue.

Criminals can use a stolen VISA card and pay for goods without access to the PIN, making the PIN completely worthless. A real-world scenario tested the Visa Credit, Visa Electron, and VPay cards, and it was successful. Of course, the attack used a virtual wallet instead of a card, as the terminal can”t distinguish between a real credit card and a smartphone.

Researchers discovered another issue affecting VISA and some older models of Martercard cards, in addition to the initial problem.

“The card does not authenticate to the terminal the Application Cryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can),” says the researchers. “This enables criminals to trick the terminal into accepting an unauthentic offline transaction.”

The only good news delivered by the researchers is that the fix doesn”t require an update for the EMV standard, only updates for the terminal. Given that there are about 161 million POS terminals in the entire world, the updating process will be a long one.

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Israeli Authorities Seized Severs of Breached Company for Not Cooperating Israeli Authorities Seized Severs of Breached Company for Not Cooperating
Silviu STAHIE

July 04, 2022

1 min read
FTC warns LGBTQ+ community of extortion scams targeting them on dating apps FTC warns LGBTQ+ community of extortion scams targeting them on dating apps
Graham CLULEY

July 01, 2022

2 min read
OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you? OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you?
Radu CRAHMALIUC

June 30, 2022

3 min read