EMV Contactless Payment Card Flaw Facilitates PIN BypassContactless Cards From Visa and Others at Risk, Researchers Warn
A "critical" flaw in how contactless cards from Visa - and potentially other issuers - have implemented the EMV protocol can be abused to launch a "PIN bypass attack," researchers warn. But Visa says the exploits would be "impractical for fraudsters to employ" in real-world attacks.
A team of security researchers from the Department of Computer Science at Zurich's Swiss Federal Institute of Technology, aka ETH Zurich, say they have identified a flaw in the EMV - for Europay, Mastercard and Visa - protocol used by contactless payment cards, that can be exploited by an attacker to bypass having to use a PIN code to complete a high-value transaction.
More than 9 billion EMV cards have been issued worldwide. As of December 2019, more than 80% of all card-present transactions globally used EMV, reaching up to 98% in many European countries.
"There are six EMV contactless protocols and each of them corresponds to one of the card brands: Mastercard, Visa, American Express, JCB, Discover and UnionPay," the researchers say in a post to GitHub that details their research. "Our PIN bypass attack applies to the Visa protocol and - possibly - the Discover and the UnionPay ones, but we have not tested these two in practice."
Not all contactless cards, however, offer the ability to use a PIN. In the U.S., for example, most EMV cards, even with contactless capabilities, do not use PINs to protect transactions - which security experts say is a more secure approach - but instead rely on cashiers to verify signatures (see: EMV Rollout: Are We There Yet?).
The flaw found by the researchers can be used for "a PIN bypass attack for transactions that are presumably protected by cardholder verification, typically those whose amount is above a local PIN-less upper limit," they say. This upper limit varies by country, but is currently 80 Swiss francs ($87.30) in Switzerland, £45 ($59.30) in the U.K. and €50 ($59) in France. Those upper limits had been raised earlier this year, partly in response to the ongoing COVID-19 pandemic and many consumers preferring contactless payments to using cash.
Due to the flaw, however, attackers could render those upper limits moot. "This means that your PIN won't prevent criminals from using your Visa contactless card to pay for their transaction, even if the amount is above the mentioned limit," the researchers say. "To carry out the attack, the criminals must have access to your card, either by stealing it [or] finding it if lost, or by holding an NFC-enabled phone near it."
The researchers notified Visa about the flaws as well as recommended mitigations. Officials at the card brand say they're aware of the research, but see the flaws posing little if any real threat to cardholders or issuers.
A spokeswoman tells Information Security Media Group: "Visa takes all security threats to payments seriously, and we appreciate industry and academic efforts to harden payment security. Consumers should continue to use their Visa cards with confidence."
Demonstration Uses Custom-Built Android App
The ETH Zurich researchers have created a proof-of-concept Android app to demonstrate how the flaw could be exploited in the wild. "Our app implements man-in-the-middle (MITM) attacks on top of a relay attack architecture," they say. "The MITM attacks modify the terminal's commands and the card's responses before delivering them to the corresponding recipient."
The MITM attack "instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer's device (e.g., a mobile phone)," according to the researcher's "The EMV Standard: Break, Fix, Verify" report.
"This enables criminals to use any stolen Visa card to pay for expensive goods without the card's PIN. In other words, the PIN is useless in Visa contactless transactions," the researchers say.
The researchers are due to present their findings at the 42nd IEEE Symposium on Security and Privacy, to be held in May 2021 in San Francisco.
The researchers tested their findings by making purchases in brick-and-mortar stores, using their own credit and debit cards.
"For example, we performed a transaction of [about] $190 in an attended terminal in an actual store. As it is now common for consumers to pay with their smartphones, the cashier cannot distinguish the attacker's actions from those of any legitimate cardholder," the researchers say.
"Our attack shows that the PIN is useless for Visa contactless transactions. As a result, in our view, the liability shift from banks to consumers or merchants is unjustified for such transactions; Banks, EMVCo, Visa or some entity other than the consumer or merchant should be liable for such fraudulent transactions," the researchers say.
The ETH Zurich researchers have suggested and verified fixes that can be deployed on existing card-reading terminals to prevent current and future attacks. They note that these fixes do not require changes to the EMV standard itself or any consumer cards currently in circulation, and thus could be deployed by software updates to terminals.
Additional Card Vulnerability
In addition to the PIN bypass vulnerability, researchers discovered another security flaw impacting both Mastercard and Visa cards.
"Our symbolic analysis also reveals that in an offline contactless transaction with a Visa or an old Mastercard card, the card does not authenticate to the terminal the application cryptogram, which is a card-produced cryptographic proof of the transaction that the terminal cannot verify, but only the card-issuing bank can," the researchers say.
Criminals could potentially exploit this vulnerability to trick a terminal into accepting an unauthentic, offline transaction. Later on, when the acquirer submits the transaction data as part of the clearing record, the issuing bank would detect that the incorrect cryptogram was used, but by then the criminal would already be long gone with the goods.
'Impractical for Fraudsters to Employ'
Visa declined to comment on which specific mitigations it might put in place as a result of the researchers' findings.
But the card brand says it considers the real-world risk posed by these flaws to be very low. "Variations of staged fraud schemes against contactless payments have been studied for nearly 10 years. In that time there have been no reports of such fraud globally," Visa's spokeswoman tells ISMG. "Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world."
The card brand also points to declining rates of contactless fraud. "In Europe, contactless fraud rates have not risen and continue to remain extremely low," the spokeswoman says.
"In fact, the Visa contactless fraud rate fell 21% in 2019 compared to 2018. Even with the recent increases in contactless payments this year, fraud values are down just under 40% during the lockdown period," she says, comparing the middle of March through the end of May, with the pre-lockdown period.
Principal Correspondent Prajeet Nair contributed to this report.