Topic Actions

Topic Search

Who is online

Users browsing this forum: No registered users and 3 guests

Major security flaw in VISA contactless payment

For anyone who might want to have a side conversation...you're welcome here!
Major security flaw in VISA contactless payment
Post by aairfccha   » Fri Aug 28, 2020 2:43 pm

aairfccha
Commander

Posts: 199
Joined: Tue Apr 08, 2014 3:03 pm

https://arxiv.org/pdf/2006.08249.pdf

Using our model, we identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification. We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device (e.g., a mobile phone). This enables criminals to use any stolen Visa card to pay for expensive goods without the card’s PIN. In other words, the PIN is useless in Visa contactless transactions!
We have successfully tested our PIN bypass attack on real-world terminals...


Oops... :shock: Better get an EM-shielded sleeve for your credit card until the software fix for the sales terminals is rolled out.
Top
Re: Major security flaw in VISA contactless payment
Post by Joat42   » Mon Aug 31, 2020 6:22 am

Joat42
Vice Admiral

Posts: 1817
Joined: Tue Apr 16, 2013 6:01 am
Location: Sweden

aairfccha wrote:https://arxiv.org/pdf/2006.08249.pdf

Using our model, we identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification. We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device (e.g., a mobile phone). This enables criminals to use any stolen Visa card to pay for expensive goods without the card’s PIN. In other words, the PIN is useless in Visa contactless transactions!
We have successfully tested our PIN bypass attack on real-world terminals...


Oops... :shock: Better get an EM-shielded sleeve for your credit card until the software fix for the sales terminals is rolled out.

Which is a good idea in general since there are more and more cards that have some kind of RFID on them.

---
Jack of all trades and destructive tinkerer.


Anyone who have simple solutions for complex problems is a fool.
Top

Return to Free-Range Topics...