Security News > 2020 > August > New Attacks Allow Bypassing EMV Card PIN Verification
Researchers with ETH Zurich have identified vulnerabilities in the implementation of the payment card EMV standard that allow for the mounting of attacks targeting both the cardholder and the merchant.
In a newly published paper, David Basin, Ralf Sasse, and Jorge Toro-Pozo from the department of computer science at ETH Zurich, explain that vulnerabilities identified in the standard EMV implementation could be exploited to render the PIN verification useless on Visa contactless transactions.
The proposed model takes into consideration all three elements present in an EMV session, the bank, the terminal, and the card.
Thus, an attacker could use stolen Visa cards for contactless transactions without knowing the card's PIN. "We have successfully tested our PIN bypass attack on real-world terminals for a number of transactions with Visa-branded cards such as Visa Credit, Visa Electron, and VPay cards. As it is now common for consumers to pay with their smartphones, the cashier cannot distinguish the attacker's actions from those of any legitimate cardholder," the researchers explain.
The academics discovered that, in offline contactless transactions in which a Visa or an old Mastercard card is used, because the card doesn't authenticate to the terminal the Application Cryptogram, the terminal can be tricked into accepting an unauthentic offline transaction.