Security News > 2020 > September > New PIN Verification Bypass Flaw Affects Visa Contactless Payments
All modern contactless cards that make use of the Visa protocol, including Visa Credit, Visa Debit, Visa Electron, and V Pay cards, are affected by the security flaw, but the researchers posited it could apply to EMV protocols implemented by Discover and UnionPay as well.
As a result, the Card Transaction Qualifiers used to determine what CVM check, if any, is required for the transaction can be modified to inform the PoS terminal to override the PIN verification and that the verification was carried out using the cardholder's device such as a smartwatch or smartphone.
Exploiting Offline Transactions Without Being Charged Furthermore, the researchers uncovered a second vulnerability, which involves offline contactless transactions carried out by either a Visa or an old Mastercard card, allowing the attacker to alter a specific piece of data called "Application Cryptogram" before it is delivered to the terminal.
Mitigating PIN bypass and offline attacks Aside from notifying Visa of the flaws, the researchers have also proposed three software fixes to the protocol to prevent PIN bypass and offline attacks, including using Dynamic Data Authentication to secure high-value online transactions and requiring the use of online cryptogram in all PoS terminals, which causes offline transactions to be processed online.
"Our attack show[ed] that the PIN is useless for Visa contactless transactions [and] revealed surprising differences between the security of the contactless payment protocols of Mastercard and Visa, showing that Mastercard is more secure than Visa," the researchers concluded.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/2FDGcEtP3Yg/emv-payment-card-pin-hacking.html