Second Security Bypass Detected in Credit Cards

After the discovery of a loophole in some credit cards, ETH researchers have now figured out a way to bypass the PIN codes for other payment cards.

Contactless payment is very important, especially during these trying times to help reduce the spread of COVID-19. As extra security, a user has to input a PIN code above a particular amount (usually CHF 80 in Switzerland) — or at least, that’s the theory. Three researchers in the Information Security Group at ETH Zurich were able to show that these security measures can be outsmarted with certain cards.

Researchers could for the first time document how credit cards could be used without a PIN code in summer 2020, using Visa cards. The team have now revealed that another bypass is possible using other types of payment cards like Mastercard and Maestro.

The researchers used methods based on the ‘man-in-the-middle’ principle, where attackers exploit exchanged data between two communicating partners (the card and the card terminal here). To remake this effect, the researchers made use of an Android app created by them and two NFC-enabled mobile phones. The app gave a false signal to the card terminal that a PIN was not required for the payment to be authorized and the identity of the card owner had been identified. This method only worked on Visa cards at first, because other providers used a different protocol (governing data transmission).

At the first glance, the second idea on outsmarting the PIN code verification step looks simple. ‘Our method tricks the terminal into thinking that a Mastercard is a Visa card’, explained Jorge Toro, a worker at the Information Security Group and an author on the research paper. Toro added that the reality was much more complex, because two sessions having to run simultaneously for it to work. The card terminal performs a Visa transaction but the card itself performs a Mastercard transaction. The researchers used these methods on two Mastercard credit cards and two Mastercard debit cards issued by four different banks.

The researchers updated Mastercard immediately after their discovery. They were able to verify that Mastercard’s new defences are effective. ‘It was both enjoyable and exciting to work with the company on this’, explained Toro. Mastercard updated their safeguards and requested that the researchers try their bypass process in the same way again, and this time, it was not successful. The researchers’ new paper will be presented with a full overview of the method at the USENIX Security ’21 symposium in August.

The security issues discovered in contactless payment cards are mainly because of EMV, an international protocol standard that is applicable to such cards. Errors in logic within sets of rules like this are not easy to detect, particularly since standard is more than 2,000 pages in length. The ETH researchers reiterated on their project website that systems like these must be reviewed frequently and automatically, because the process is a bit too complex for humans.

By Marvellous Iwendi.

Source: ETH Zurich