Experts demonstrate the PIN is useless in EMV contactless transactions

Researchers with ETH Zurich have identified vulnerabilities in the implementation of the payment card EMV standard that can allow bypassing PIN verification

Researchers David Basin, Ralf Sasse, and Jorge Toro-Pozo from the department of computer science at ETH Zurich discovered multiple vulnerabilities in the implementation of the payment card EMV standard that allow hackers to carry out attacks targeting both the cardholder and the merchant.

The vulnerabilities could be exploited by attackers to bypass the PIN verification on Visa contactless transactions.

EMV is a payment method based upon a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV originally stood for “Europay, Mastercard, and Visa”, the three companies which created the standard. EMV cards are smart cards, also called chip cards, integrated circuit cards, or IC cards which store their data on integrated circuit chips, in addition to magnetic stripes for backward compatibility.

EMV is currently being used in over 9 billion cards worldwide and in over 80% of card-present transactions worldwide.

The researchers have built a symbolic model in Tamarin and identified logical flaws that open the doors to two attacks that both the cardholder or the merchant.

The first attack can allow threat actors to make purchases even without knowing the card’s PIN, using a mobile device to make the payment. The boffins also created a proof-of-concept Android app to show the attack.

In the second attack, the researchers demonstrated how to trick a terminal into accepting an unauthentic offline transaction that would later be declined.

“First, criminals can use a victim’s Visa contactless card for high-value purchases, without knowledge of the card’s PIN.” reads the research paper.

“Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods.”

The three most relevant properties behind the EMV standard are:

• Bank accepts every transaction accepted by terminals, this means that no transaction accepted by the terminal can be declined by the bank.
• Authentication to the terminal: All transactions accepted by the terminal are authenticated by the card and, if authorized online, the bank.
• Authentication to the bank: All the transactions accepted by the bank are authenticated by the card and the terminal.

The model proposed by the researchers revealed that the cardholder verification method is not authenticated, that doesn’t use cryptography to prevent modification, thus allowing for PIN verification bypass using a specially crafted Android application.

The app developed by the experts launches a man-in-the-middle attack, attempting to trick the terminal that PIN verification was performed on the consumer’s device and is no longer required. Researchers pointed out that an attacker could use stolen Visa cards for contactless transactions, even without knowing their card’s PIN.

“We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device (e.g.,
a mobile phone).” continues the paper. “This enables criminals to use any stolen Visa card to pay for expensive goods without the card’s PIN. In other words, the PIN is useless in Visa contactless transactions!”

The experts successfully tested their PIN bypass attack on real-world terminals for a number of transactions with Visa-branded cards (i.e. Visa Credit, Visa Electron, and VPay cards).

“As it is now common for consumers to pay with their smartphones, the cashier cannot distinguish the attacker’s actions from those of any legitimate cardholder,” adds the paper.

Boffins also discovered that using a Visa or an old Mastercard card in offline contactless transactions, the card doesn’t authenticate to the terminal the Application Cryptogram (AC), this means that the terminal can be tricked into accepting an unauthentic offline transaction. In this attack scenario, the wrong cryptogram would be identified only when the acquirer submits the transaction data.

The researchers only used their own cards to perform the experiments, they reported their findings to VISA along with mitigations for the banks and Visa. Experts pointed out that the proposed fixes do not require changes to the EMV standard itself.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, EMV)

[adrotate banner=”5″]

[adrotate banner=”13″]