Payment card data issued by major banks and organizations are constantly the target of computer criminals using different hacking methods. However, the Visa payment cards have been found to be vulnerable to a new kind of attack categorized as a PIN bypass. It allows hackers to manipulate payment terminals into accepting card transactions from unauthentic cards.
Visa Payment Cards Identified With New Authentication Flaw Leading to PIN Verification Bypass
Banks and financial institutions need to beware of a new serious security issue that affects the payment cards based on VISA’s network. An academic security group has published extensive research called EMVrace which shows that the Visa is vulnerable to a PIN Bypass attack. This is one of the detected weaknesses which have been made upon a detailed analysis of the way payments are made using the current EMV standard.
One of the most dangerous consequences is observed and demonstrated method allowing hackers to obtain funds from cardholders and manipulate web merchants into accepting them without authentication. When making contactless payments the transactions require a PIN code verification when a certain cash limit has been reached. Below that, in almost all cases the payments will be automated.
In order for the attack to happen the criminals will need to acquire the payment card details either by stealing or acquiring it through other means. The alternative is to do this via the popular NFC skimmin option which uses the nearfield communication technology in order to scan for nearby cards and copying their details.
In order to prove the efficiency and danger of this attack, the researchers have created a demonstrative proof-of-concept scenario. It relies on the setting up of a man-in-the-middle approach using a specially designed Android application. It is used to modify the behavior of payment terminals designed to alter the card’s responses before they are delivered to the device.
As a result of the made attack, the criminals can complete purchases using the victim card and can overcome the PIN-less limit by using the modification of a value called Card Transaction Qualifiers. By abusing the connection using the remote protocols the payment terminals will be instructed to overcome the PIN verification and trust that the cardholder’s identity has already been verified. For further confirmation of the attack’s success, the researchers have also tested the attack on live terminals in physical stores.
As a consequence of the made attacks, the researchers note that this method applies both to Visa and Mastercard protocols.