A group of researchers at ETH Zurich have disclosed an authentication flaw in Visa's EMV enabled payment cards that could allow cybercriminals to defraud cardholders as well as merchants by obtain funds illegitimately.
According to the researchers, the flaw is a PIN bypass attack that allows the hackers to leverage a stolen or lost credit card for authorizing high-value purchases without the knowledge of the card's PIN, and also trick a point of sale (PoS) terminal into an unauthenticated offline card transaction.
The flaw affects all contactless cards that use the Visa protocol, including Visa Debit and Credit cards, Visa Electron, and V Pay cards, and the researchers also tied it to the EMV protocols implemented by UnionPay and Discover cards as well. While MasterCard, and American Express, are not impacted by the vulnerability.
How ETH Zurich researchers exploited the flaw to mount a man-in-the-middle (MitM) attack
The international protocol standard for smartcard payment, EMV (short for Europay, MasterCard, and Visa), mandates that all larger amounts of money can only be debited from credit cards using a PIN code.
However, the process devised by the researchers exploits the flaw in the protocol to mount a man-in-the-middle (MitM) attack using an app that "instructs the terminal that PIN verification is not required because the cardholder verification was performed on the device" to gain access.
And the fact that the Cardholder verification method (CVM), which is employed in verifying if an individual that's attempting a transaction with a credit/debit card is the legitimate cardholder, isn't protected cryptographically from modification makes the attack possible.
How to Mitigate against PIN bypass attacks
The attack scenario proves that the PIN is actually useless for security in Visa contactless transactions, and the differences between the contactless payment protocols of MasterCard meant that MasterCard is more secure.
And as the flaw violates fundamental security properties such as authentication and guarantees on accepted transactions, the researchers have proposed three software fixes to the protocol to prevent PIN verification bypass attacks, including using Dynamic Data Authentication (DDA) in securing high-value online transactions and the use of online cryptogram in all PoS terminals, allowing offline transactions to be processed online.