Security News > 2021 > February > New Hack Lets Attackers Bypass MasterCard PIN by Using Them As Visa Card
Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victim's Mastercard contactless card while believing it to be a Visa card.
The research, published by a group of academics from ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a victim's stolen or lost Visa EMV-enabled credit card for making high-value purchases without knowledge of the card's PIN, and even fool the terminal into accepting unauthentic offline card transactions.
Criminals can use it in combination with the previous attack on Visa to also bypass the PIN for Mastercard cards. The cards of this brand were previously presumed protected by PIN.".
Just like the previous attack involving Visa cards, the latest research too exploits "Serious" vulnerabilities in the widely used EMV contactless protocol, only this time the target is a Mastercard card.
At a high level, this is achieved using an Android application that implements a man-in-the-middle attack atop a relay attack architecture, thereby allowing the app to not only initiate messages between the two ends - the terminal and the card - but also to intercept and manipulate the NFC communications to maliciously introduce a mismatch between the card brand and the payment network.
Using the PoC Android app, ETH Zurich researchers said they were able to bypass PIN verification for transactions with Mastercard credit and debit cards, including two Maestro debit and two Mastercard credit cards, all issued by different banks, with one of the transactions exceeding $400. In response to the findings, Mastercard has added a number of countermeasures, including mandating financial institutions to include the AID in the authorization data, allowing card issuers to check the AID against the PAN. Additionally, the payment network has rolled out checks for other data points present in the authorization request that could be used to identify an attack of this kind, thereby declining a fraudulent transaction right at the outset.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/2EndDI02n68/new-hack-lets-attackers-bypass.html