A new loophole has been discovered in the MasterCard network. By passing a card for a Visa, it is possible to bypass the entry of the PIN code and make contactless payments of several thousand euros. MasterCard indicated that it has already updated its network to block this technique.
Modern bank cards are secure thanks to their chip which requires the entry of a PIN code to validate the payment. However, to simplify the payment of small amounts, banks have implemented contactless payment, using the NFC standard. This function is normally limited to a few tens of euros, but a new discovered flaw in the MasterCard network makes it possible to reach the conventional payment limits, which are potentially several thousands of euros.
Researchers at the Swiss Federal Institute of Technology in Zurich have succeeded in combining two flaws in order to achieve regulations exceeding the contactless payment ceiling with a MasterCard, without having to enter a code. To do this, they pass the MasterCard as a Visa, then exploit a loophole in the Visa cards, unveiled in August last year, which allows them to bypass the PIN code.
An attack based on a Visa card flaw
Concretely, this attack requires physical access to the card and two NFC-enabled smartphones. Thanks to a special application, the two smartphones communicate with each other via Wi-Fi, and transmit falsified information to the payment terminal and to the card. The Identify application (AID) of the card is first replaced by a Visa application. The researchers then modify the Card Transaction Qualifiers (CTQ), information transmitted to the payment terminal, to indicate that the PIN code is not needed and that the card has already been checked on the user’s device, such as Google Pay or Apple Pay. The payment is then accepted, within the limits of the card, up to several thousand euros.
According to the researchers, this same technique could be used against Japanese JCB cards as well as American Express cards. MasterCard was notified and updated its network to block this flaw.