Hackers Can Now Bypass PIN Codes on Contactless Cards
Voila! Another discovery by the ever-evolving hackers! Widely known as Man-In-The-Middle attack or simply MITM. Well, the processes involved in the hack are simple too, according to experts.
One thing that’s fascinating about hackers is their intelligence. They never cease to make new ways to break-in. Although it is as scary as fascinating it seems. Hackers use their specific technical skills to gain indefinite knowledge about how to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Likewise, there are higher rates of attacks around the globe primarily due to digitalization during the covid crisis.
The attack was detected as a part of their offensive research by the ETH Zurich team, furthermore, the team researched to find all the initial details regarding the discovery.
“A group of scientists from the Swiss Higher Technical School of Zurich has discovered a way to bypass PIN codes on Mastercard and Maestro contactless cards. The exploitation of the vulnerability allowed cybercriminals to use stolen Mastercard and Maestro cards to pay for expensive products without having to provide PIN codes for contactless payments” says CyberSecurity News.
Sneak-peek to the MITM attack:
- The attacker will need a stolen card,
- Two Android smartphones,
- A custom Android application that can tamper with the fields of the transaction.
- The application must be installed on both smartphones, which will act as emulators.
- One smartphone will be placed next to the stolen card and will act as a PoS terminal emulator, tricking the card into initiating a transaction and sharing its data,
- while the second smartphone will act as a card emulator and be used by the fraudster to transfer modified transaction data into a real PoS. -terminal inside the store.
From the perspective of the point-of-sale terminal (electronic transaction terminal used), the attack looks like the customer is paying with their mobile payment app, but in reality, the fraudster is sending modified transaction data from the stolen card.
After detecting the attack, the experts affirmed that this attack is isolated and could be readily expanded in a real-world situation whenever any new bugs in contactless payment protocols are identified. Experts have successfully tested the attack with Visa Credit, Visa Debit, Visa Electron, and V Pay cards.
Mastercard released fixes for the issue earlier this year, but Visa doesn’t seem to have fixed the vulnerability yet. Watch a demo video of how the vulnerability can be exploited by anyone with basic knowledge in cyber security.