Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victim’s Mastercard contactless card while believing it to be a Visa card.
The research, published by a group of academics from ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a victim’s stolen or lost Visa EMV-enabled credit card for making high-value purchases without knowledge of the card’s PIN, and even fool the terminal into accepting unauthentic offline card transactions.
“This is not just a mere card brand mixup but it has critical consequences,” researchers David Basin, Ralf Sasse, and Jorge Toro said. “For example, criminals can use it in combination with the previous attack on Visa to also bypass the PIN for Mastercard cards. The cards of this brand were previously presumed protected by PIN.”
Read Full Article
Source: TheHackerNews
Demo how it can be accomplished.
Mastercard Adds Countermeasures
Using the PoC Android app, ETH Zurich researchers said they were able to bypass PIN verification for transactions with Mastercard credit and debit cards, including two Maestro debit and two Mastercard credit cards, all issued by different banks, with one of the transactions exceeding $400.
In response to the findings, Mastercard has added a number of countermeasures, including mandating financial institutions to include the AID in the authorization data, allowing card issuers to check the AID against the PAN.
Additionally, the payment network has rolled out checks for other data points present in the authorization request that could be used to identify an attack of this kind, thereby declining a fraudulent transaction right at the outset.