Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Academics Bypass PINs for Mastercard and Maestro Contactless Payments (therecord.media) 10

A team of scientists from a Swiss university has discovered a way to bypass PIN codes on contactless cards from Mastercard and Maestro. From a report: The now-patched vulnerability would have allowed cybercriminals to use stolen Mastercard and Maestro cards to pay for expensive products without needing to provide PINs on contactless payments. Discovered by a team from the Department of Computer Science at the ETH Zurich university, the attack is extremely stealthy and could be easily deployed in a real-world scenario if new bugs in contactless payment protocols are discovered. The general idea behind the attack is for an attacker to interpose itself between the stolen card and a vendor's Point-of-Sale (PoS) terminal, in what security researchers would normally call a Man/Person/Meddler-in-the-Middle (MitM) scenario.

To achieve this, an attacker would require: a stolen card, two Android smartphones, a custom-made Android app that can tamper with a transaction's fields. The app is installed on both smartphones, which will act as emulators. One smartphone will be placed near the stolen card and act as a PoS emulator, tricking the card into initiating a transaction and sharing its details, while the second smartphone will act as a card emulator and be used by a crook to feed modified transaction details to a real-life PoS terminal inside a store.

This discussion has been archived. No new comments can be posted.

Academics Bypass PINs for Mastercard and Maestro Contactless Payments

Comments Filter:
  • by ShanghaiBill ( 739463 ) on Friday August 27, 2021 @03:46PM (#61736583)

    Americans are unaffected because our CCs don't have PINs.

    You don't have to worry about someone picking the lock on your front door if your front door has no lock.

    • by gweihir ( 88907 )

      Heheheh, made me LOL.

    • The joke here is actually on Europeans.

      Because EU chip plus PIN security is considered impregnable, when the PIN is compromised the customer is held responsible; if the US chip plus signature is defrauded, the card issuer has to pay.

  • So basically (Score:3, Insightful)

    by guruevi ( 827432 ) on Friday August 27, 2021 @03:47PM (#61736589)

    Extending the signal by using smartphone NFC circuitry as a VPN between locations.

    I thought this was already possible with bespoke electronics and could be done even at a distance with a construction similar to a Bluetooth gun.

    Passing a communications once obtained is very simple. If NFC payments do not require any other form of authentication, then this will always be possible, even with smart drivers licenses and passports.

  • by LagDemon ( 521810 ) on Friday August 27, 2021 @04:15PM (#61736695) Homepage
    The bigger news is that this exploit worked by tricking the POS terminal into thinking the card was a Visa card, and using a still unpatched vulnerability to bypass PIN checks.

    In other words, Visa cards are still vulnerable and Visa users can do nothing to protect any card they have with wireless capability, except for keeping their card in a faraday cage at all times.
    • by JaredOfEuropa ( 526365 ) on Friday August 27, 2021 @05:44PM (#61736977) Journal
      Even more interesting: do you actually need to steal the card? What about holding one phone to the wallet in someone's pocket in a busy subway, while your accomplice uses the other phone to pay for some expensive item?

      This relaying trick is used by thieves to break into cars with keyless entry; one guy points a high gain antenna at the car keys lying on a side table inside the house, relaying to a second guy standing near the car. Auto makers have gotten wise to this trick, and some cars now check for delays incurred by the relay. I wonder if NFC POS terminals do the same, on the whole they are rather primitive affairs.
  • > The general idea behind the attack is for an attacker to interpose itself between the stolen card and a vendor's Point-of-Sale (PoS) terminal, in what security researchers would normally call a Man/Person/Meddler-in-the-Middle (MitM) scenario.
    • I wonder what the protocol actually is. PINs have very little entropy. So unless something like Secure Remote Password is used they would be very vulnerable to brute force attacks. And I doubt they use SRP. But then again I wonder if the PIN is actually on the card, why would it be? And why sent? Surely chipped cards would have a decent secret, ideally public key based.

  • I have never in my life heard of using a PIN with a contactless transaction. The whole point of contactless transactions is they are quick and simple and instant. As such they require no PIN, and are also capped at $100 - $200 depending on bank.

    What would be the purpose of contactless + PIN? I am saving no time over Chip + PIN.

    • I used to work in this field in the late 1990's.

      Banks can configure the credit card terminal:
      - to reject transactions over amount A (avoids thieves sucking your account dry in one go)
      - to require a PIN over amount B (allows quick transactions for small amounts)
      - to require a connection to the bank host over amount C (allows small transactions when the phones are out)
      Amounts A, B, C are independent but usually 0=C=B=A

      Different banks set different amounts for each.
      They can even set them different according to

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...