A new flaw in Visa’s EMV enabled cards was discovered by security researchers that allow cyber criminals to get funds and defraud cardholders and merchants illicitly.
The research which was published by a group of academics from the ETH Zurich, is a PIN bypass attack that allows the criminals to get hold of a victim’s stolen or lost credit card for making high-value purchases even without knowing the card’s PIN, and also trick a point of sale (PoS) terminal into accepting an unauthentic offline card transaction.
All contactless cards that use the Visa protocol, including Visa Credit, Visa Debit, Visa Electron, and V Pay cards, are affected by the security flaw. The researchers also stated that this could apply to EMV protocols implemented by Discover and UnionPay as well.
The flaw however, does not affect Mastercard, American Express, and JCB.
EMV (Europay, Mastercard, and Visa) which is the widely used international protocol standard for smartcard payment, requires that larger amounts can be debited from credit cards only with a PIN code.
The ETH researchers exploit a critical flaw in the protocol that could perform a man-in-the-middle (MitM) attack via an Android app which instructs the terminals that PIN verification is not necessary as the cardholder verification was performed on the consumer’s device.
The issue arises from the fact that the Cardholder verification method (CVM), which is used to verify whether a user trying to make a transaction with a credit or debit card is the legitimate cardholder, is not cryptographically protected from modification.
So, the Card Transaction Qualifiers (CTQ) used to determine what CVM check is required for the transaction can be modified to inform the PoS terminal to override the PIN verification and that the verification called Consumer Device Cardholder Verification Method or CDCVM was done using the cardholder’s device.
The researchers also discovered another vulnerability involving offline contactless transactions carried out by either a Visa or an old Mastercard card, allowing the attacker to change a specific piece of data called “Application Cryptogram” (AC) before it is delivered to the terminal.
Offline cards are usually used to pay for goods and services directly from a cardholder’s bank account without the need of a PIN number. As these are not connected to an online system, there will be a delay of 24 to 72 hours before the bank confirms the transaction’s legitimacy using the cryptogram, and the amount of the purchase is debited from the account.
This delayed processing mechanism can be utilized by a criminal to use their card to complete a low-value and offline transaction without being charged and also make purchases by the time the issuing bank declines the transaction due to the wrong cryptogram.
Here the criminal can make low value purchases without actually being charged.
These flaws has been notified to Visa and the researchers have also proposed three software fixes to the protocol to prevent PIN bypass and offline attacks, including using Dynamic Data Authentication (DDA) to secure high-value online transactions and requiring the use of online cryptogram in all PoS terminals, which causes offline transactions to be processed online.
The researchers concluded that their attack showed that the PIN is useless for Visa contactless transactions that there are differences between the security of the contactless payment protocols of Mastercard and Visa which denotes that Mastercard is more secure than Visa.