The research, published by a group of academics from the ETH Zurich, is a PIN bypass attack that allows the adversaries to leverage a victim's stolen or lost credit card for making high-value purchases without knowledge of the card's PIN, and even trick a point of sale (PoS) terminal into accepting an unauthentic offline card transaction.
All modern contactless cards that make use of the Visa protocol, including Visa Credit, Visa Debit, Visa Electron, and V Pay cards, are affected by the security flaw, but the researchers posited it could apply to EMV protocols implemented by Discover and UnionPay as well. The loophole, however, doesn't impact Mastercard, American Express, and JCB.
The findings will be presented at the 42nd IEEE Symposium on Security and Privacy to be held in San Francisco next May.
Modifying Card Transaction Qualifiers Via MitM Attack
EMV (short for Europay, Mastercard, and Visa), the widely used international protocol standard for smartcard payment, necessitates that larger amounts can only be debited from credit cards with a PIN code.
But the setup devised by ETH researchers exploits a critical flaw in the protocol to mount a man-in-the-middle (MitM) attack via an Android app that "instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer's device."
The issue stems from the fact the Cardholder verification method (CVM), which is used to verify whether an individual attempting a transaction with a credit or debit card is the legitimate cardholder, is not cryptographically protected from modification.
As a result, the Card Transaction Qualifiers (CTQ) used to determine what CVM check, if any, is required for the transaction can be modified to inform the PoS terminal to override the PIN verification and that the verification was carried out using the cardholder's device such as a smartwatch or smartphone (called Consumer Device Cardholder Verification Method or CDCVM).
Exploiting Offline Transactions Without Being Charged
Furthermore, the researchers uncovered a second vulnerability, which involves offline contactless transactions carried out by either a Visa or an old Mastercard card, allowing the attacker to alter a specific piece of data called "Application Cryptogram" (AC) before it is delivered to the terminal.
Offline cards are typically used to directly pay for goods and services from a cardholder's bank account without requiring a PIN number. But since these transactions are not connected to an online system, there is a delay of 24 to 72 hours before the bank confirms the transaction's legitimacy using the cryptogram, and the amount of the purchase is debited from the account.
A criminal can leverage this delayed processing mechanism to use their card to complete a low-value and offline transaction without being charged, in addition to making away with purchases by the time the issuing bank declines the transaction due to the wrong cryptogram.
"This constitutes a 'free lunch' attack in that the criminal can purchase low-value goods or services without actually being charged at all," the researchers said, adding the low-value nature of these transactions is unlikely to be an "attractive business model for criminals."
Mitigating PIN bypass and offline attacks
Aside from notifying Visa of the flaws, the researchers have also proposed three software fixes to the protocol to prevent PIN bypass and offline attacks, including using Dynamic Data Authentication (DDA) to secure high-value online transactions and requiring the use of online cryptogram in all PoS terminals, which causes offline transactions to be processed online.
"Our attack show[ed] that the PIN is useless for Visa contactless transactions [and] revealed surprising differences between the security of the contactless payment protocols of Mastercard and Visa, showing that Mastercard is more secure than Visa," the researchers concluded. "These flaws violate fundamental security properties such as authentication and other guarantees about accepted transactions."