The vulnerability exposed by the Swiss researchers enables fraudsters to obtain funds from cards that have been lost or stolen even though the amounts are supposed to be validated by entering a PIN code. The issue is only present on Visa credit and debit cards even though Visa is part of the EMV organization that draws up standards for credit and debit cards, the researchers state.
Other companies, such as Mastercard, American Express and JCB, don’t use the same protocol as Visa, so these cards are not affected by the security loophole. However, the flaw may also apply to the cards issued by Discover and UnionPay, which use a protocol similar to Visa’s.
The method the researchers used was to develop an Android application to read data from the credit card chip and exchange information with payment terminals and install it on two NFC-enabled mobile phones.
To obtain funds the first mobile phone is used to scan the credit card details and transfer it to a second phone. The second phone is used at the same time to debit an amount at the checkout – as is often done – while buying an item below the PIN security limit. As the app declares the customer is the authorised user of the credit card the vendor approves the fraudulent payment even though the amount being drawn down is over the limit and requires a PIN verification.
Next: Watch the video
“The scam works with debit and credit cards issued in different countries in a range of currencies,” said Jorge Toro Pozo, one of the researchers.
The researchers have already alerted Visa to the vulnerability, at the same time proposing a specific solution that does not require that Visa cards are replaced. “Three changes should be made to the protocol, which could then be installed in the payment terminals with the next software update,” Toro Pozo added.
Visa in Belgium and Luxembourg provided the following statement: “Visa takes all security threats to payments seriously, and we appreciate industry and academic efforts to harden payment security.
Consumers should continue to use their Visa cards with confidence. Variations of staged fraud schemes against contactless payments have been studied for nearly 10 years. In that time there have been no reports of such fraud. Research tests may be reasonable to simulate, but these types of schemes have proved to be impractical for fraudsters to employ in the real world.
Contactless cards are very secure. Using the same secure technology as EMV Chip, contactless cards are extremely effective in preventing counterfeit fraud by using a one-time use code that prevents compromised data from being re-used for fraud.”
The ETH researchers plan to present their findings at the IEEE Symposium on Security and Privacy in 2021.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.