"Security Flaw Detected for the Second Time in Credit Cards"

Researchers working with the Information Security Group at ETH Zurich discovered a way to circumvent the PIN codes for different contactless credit cards. In summer 2020, the researchers demonstrated how to bypass a PIN code for Visa cards. They have now found another bypass that can work with other types of payment cards, specifically Mastercard and Maestro. The researchers' methods are based on the man-in-the-middle (MITM) principle in which attackers position themselves between two communicating parties to exploit data exchanged between them. In the context of this research, the two communication partners are the card and the card terminal. The team replicated this attack, using an Android app they had developed, and two mobile phones enabled by Near-Field Communication (NFC). The Android app was used to falsely signal to the card terminal that a PIN was not required for the authorization of the payment and that the identity of the card owner had been verified. The attack was demonstrated on two Mastercard credit cards and two Maestro debit cards issued by four different banks. According to the researchers, the main root of the security flaws discovered in contactless payment cards is the Europay, Mastercard, and Visa (EMV) international protocol standard. The set of rules contains logical errors that are difficult to detect, mainly because the standard has more than 2,000 pages. This article continues to discuss how the researchers successfully bypassed the PIN code verification step for contactless payment cards and the source of security vulnerabilities found in these cards.

ETH Zurich reports "Security Flaw Detected for the Second Time in Credit Cards"