• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

 | 

DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

 | 

DraftKings thwarts credential stuffing attack, but urges password reset and MFA

 | 

Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

 | 

U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

 | 

GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns

 | 

CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

 | 

Discord discloses third-party breach affecting customer support data

 | 

Oracle patches critical E-Business Suite flaw exploited by Cl0p hackers

 | 

LinkedIn sues ProAPIs for $15K/Month LinkedIn data scraping scheme

 | 

Zimbra users targeted in zero-day exploit using iCalendar attachments

 | 

Reading the ENISA Threat Landscape 2025 report

 | 

Ghost in the Cloud: Weaponizing AWS X-Ray for Command & Control

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 65

 | 

Security Affairs newsletter Round 544 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

 | 

U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog

 | 

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

 | 

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

 | 

Google warns of Cl0p extortion campaign against Oracle E-Business users

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Boffins show PIN bypass attack Mastercard and Maestro contactless payments

Boffins show PIN bypass attack Mastercard and Maestro contactless payments

Pierluigi Paganini August 28, 2021

Boffins from the Swiss ETH Zurich university demonstrated PIN bypass attack on contactless cards from Mastercard and Maestro.

A group of researchers from the Swiss ETH Zurich university has discovered a vulnerability that allowed them to bypass PIN codes on contactless cards from Mastercard and Maestro.

Technically the researchers performed a Man-in-the-Middle (MitM) attack between a stolen card and the merchant’s Point-of-Sale (PoS) terminal.

In a real attack scenario, crooks could use a victim’s contactless card to make expensive purchases without knowing the card’s PIN.

“Concretely, the attacker fools the terminal into believing that the card being used is a Visa card and then applies the recent PIN bypass attack that we reported on Visa.” state the researchers. “We have built an Android application and successfully used it to carry out this attack for transactions with both Mastercard debit and credit cards, including a transaction for over 400 USD with a Maestro debit card. Finally, we extend our formal model of the EMV contactless protocol to machine-check fixes to the issues found.”

The attack was implemented using two Android smartphones (supporting NFC and running Android 4.4 KitKat or later) that were connected through a relay channel built using TCP/IP serverclient communication over WiFi. One phone runs an app in POS Emulator mode and the other phone runs the app developed by the researchers in Card Emulator mode. The device running in Card Emulator mode must support Android’s host-based card emulation so that the phone can launch the NFC payment service implemented by our app. The man-in-the-middle functionality runs on the POS Emulator device while the Card Emulator acts as the proxy for the relay channel.

The attack scenario is simple, the attackers place PoS emulator device near the card in order to trick the card into initiating a transaction and capture the transaction details, while the card emulator is used by crooks to feed modified transaction details to a real-life PoS terminal inside a store.

Maestro PIN bypass
Setup of the testing environment for our proof-ofconcept implementation, displaying the following devices: (1) SumUp Plus Card Reader, (2) mobile phone running the SumUp app and connected over Bluetooth to the SumUp reader, (3) Android phone running our app in Card Emulator mode, (4) Android phone running our app in POS Emulator mode, and (5) contactless card. Note that the device (2) is not part of the attacker’s equipment since in an actual store this device and (1) would be the payment terminal. In this scenario, the devices (3) and (4) would be the attacker’s equipment and (5) would be the victim’s card.

The same team of researchers last year devised a method to bypass PINs on Visa contactless payments and used this technique as part of this new attack, it was used to fools the terminal into believing that the card being used is a Visa instead of a Maestro.

The researchers successfully tested the attack against Visa Credit, Visa Debit, Visa Electron, and V Pay cards complete transactions of an amount above the PIN requirement limit for Swiss banks.

Below is one of the slides prepared by the researchers to show the PIN bypass attack:

Maestro PIN bypass 2

The PoS operator of the store could not detect the attack, from his perspective the customer is paying with his mobile payments app. In reality, the crook is using modified transaction details obtained from a stolen card.

Unlike the attack against VISA cards, the new PIN bypass attack tricks the PoS terminal into thinking that the incoming transaction comes from a Visa card instead of Mastercard/Maestro, the boffins modified the card’s legitimate Application Identifier (AID) with Visa’s AID: A0000000031010 to achieve this result.

Then experts used the 2020 Visa attack to make the payment without providing a PIN.

The researchers published a video PoC of the attack:

The researchers successfully tested this attack with Mastercard Credit and Maestro cards, but failed to execute the attack to pay with a Mastercard card in a Discover and a UnionPay transaction, as these two kernels are similar to the Visa kernel.

The happy ending is that Mastercard already addressed the issue early this year, but Visa has yet to fix the PIN bypass bug.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PIN bypass)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

credit card Cybersecurity cybersecurity news Hacking hacking news information security news Maestro MASTERCARD MITM attack Pierluigi Paganini POS Security Affairs Security News

you might also like

Pierluigi Paganini October 08, 2025
Qilin ransomware claimed responsibility for the attack on the beer giant Asahi
Read more
Pierluigi Paganini October 08, 2025
DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

    Cyber Crime / October 08, 2025

    DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

    Cyber Crime / October 08, 2025

    DraftKings thwarts credential stuffing attack, but urges password reset and MFA

    Security / October 08, 2025

    Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

    Security / October 08, 2025

    U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

    Hacking / October 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT