A team of academics from Switzerland has discovered a security bug that can be abused to bypass PIN codes for Visa contactless payments.
This means that if criminals are ever in possession of a stolen Visa contactless card, they can use it to pay for expensive products, above the contactless transaction limit, and without needing to enter the card's PIN code.
The attack is extremely stealthy, academics said, and can be easily mistaken for a customer paying for products using a mobile/digital wallet installed on their smartphone.
However, in reality, the attacker is actually paying with data received from a (stolen) Visa contactless card that is hidden on the attacker's body.
According to the research team, a successful attack requires four components: (1+2) two Android smartphones, (3) a special Android app developed by the research team, and (4) a Visa contactless card.
The Android app is installed on the two smartphones, which will work as a card emulator and a POS (Point-Of-Sale) emulator.
The phone that emulates a POS device is put close to the stolen card, while the smartphone working as the card emulator is used to pay for goods.
The entire idea behind the attack is that the POS emulator asks the card to make a payment, modifies transaction details, and then sends the modified data via WiFi to the second smartphone that makes a large payment without needing to provide a PIN (as the attacker has modified the transaction data to say that the PIN is not needed).
"Our app does not require root privileges or any fancy hacks to Android and we have successfully used it on Pixel and Huawei devices," researchers said.
At the technical level, the researchers said the attack is possible because of what they describe as design flaws in the EMV standard and in Visa's contactless protocol.
These issues allow an attacker to alter data involved in a contactless transaction, including the fields that control transaction details and if the card owner has been verified.
"The cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification," researchers said.
"The attack consists in a modification of a card-sourced data object –the Card Transaction Qualifiers– before delivering it to the terminal," they added.
"The modification instructs the terminal that: (1) PIN verification is not required, and (2) the cardholder was verified on the consumer's device (e.g., a smartphone)."
These modifications are carried out on the smartphone running the POS emulator, before being sent to the second smartphone, and then relayed to the actual POS device, which wouldn't be able to tell if the transaction data was modified.
This security issue was discovered earlier this year by academics from the Swiss Federal Institute of Technology (ETH) in Zurich.
ETH Zurich researchers said they tested their attack in the real world, in real stores, without facing any issues. The attack was successful at bypassing PINs on Visa Credit, Visa Electron, and VPay cards, they said.
A Visa spokesperson did not return an email seeking comment on the research paper's findings, which ZDNet sent on Thursday, but the ETH Zurich team said they notified Visa of their findings.
To discover this bug, the research team said they used a modified version of a tool called Tamarin, which was previously used to discover complex vulnerabilities in the TLS 1.3 cryptographic protocol [PDF] and in the 5G authentication mechanism [PDF].
Besides the PIN bypass on Visa contactless cards, the same tool also discovered a second security issue, this time impacting both Mastercard and Visa. Researchers explain:
"Our symbolic analysis also reveals that, in an offline contactless transaction with a Visa or an old Mastercard card, the card does not authenticate to the terminal the ApplicationCryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can). This enables criminals to trick the terminal into accepting an unauthentic offline transaction. Later on, when the acquirer submits the transaction data as part of the clearing record, the issuing bank will detect the wrong cryptogram, but the criminal is already long gone with the goods."
Unlike the first bug, the research team said it did not test this second attack in real-world setups for ethical reasons, as this would have defrauded the merchants.
Additional details about the team's research can be found in a paper preprint entitled "The EMV Standard: Break, Fix, Verify." Researchers are also scheduled to present their findings at the IEEE Symposium on Security and Privacy, next year, in May 2021.