Discovered a way to bypass PIN codes for contactless payments Mastercard and Maestro
Exploiting the vulnerability enables the use of stolen Mastercard and Maestro cards to pay for costly items.
A group of experts from Switzerland’s Higher Technical School in Zurich has identified a technique to circumvent PIN security on Mastercard and Maestro contactless cards. The vulnerability was exploited, allowing hackers to use stolen Mastercard and Maestro cards to pay for costly items without having to enter PIN passwords for contactless payments.
For the attack, a stolen card, two Android cellphones, and a custom Android application that may disturb the fields of the transaction are required to perform a MitM (Man-in-The-Middle) attack. Both smartphones, which function as emulators must have the program installed. The second Smartphone acts as the card’s emulator for transaction startups. The second Smartphone serves as the emulator and the fraudster will use it to transfer modified data into a true PoS terminal in the shop. In addition, the second Smartphone is used to transmit modified transaction data.
The attack appears to the PoS terminal operator to be a client paying using their mobile payment app, but in reality, the fraudster is submitting changed transaction data from the stolen card.
Last year, the research team exploited a similar attack technique to discover a way to circumvent the PIN for Visa contactless payments. The attack has been successfully tested with Visa Credit, Visa Debit, Visa Electron, and V Pay cards by experts.
The ETH Zurich researchers subsequently expanded their study to include circumventing PINs on cards that did not utilize Visa’s contactless payment protocol. As it turned out, contactless payments with Mastercard and Maestro cards were also affected by a similar issue.
The distinction in this scenario is that the PoS terminal is not notified of the successful PIN verification. Instead, the researchers caused the PoS terminal to accept an incoming transaction, purportedly from a Visa card, rather than a Mastercard or Maestro card.
The attack was successfully tested using Mastercard Credit and Maestro cards, with transactions of up to 400 Swiss francs ($ 439) carried out during the testing.
Mastercard released fixes for the issue earlier this year, but Visa doesn’t seem to have fixed the vulnerability yet.