Updated: Visa contactless card vulnerability exposed

September 01, 2020 //By Peter Clarke
Swiss researchers show Visa bank cards are insecure
A team of researchers from ETH Zurich has exposed a loophole around the use of a personal identification number (PIN) to secure payments made on Visa credit and debit cards.

The vulnerability exposed by the Swiss researchers enables fraudsters to obtain funds from cards that have been lost or stolen even though the amounts are supposed to be validated by entering a PIN code. The issue is only present on Visa credit and debit cards even though Visa is part of the EMV organization that draws up standards for credit and debit cards, the researchers state.

Other companies, such as Mastercard, American Express and JCB, don't use the same protocol as Visa, so these cards are not affected by the security loophole. However, the flaw may also apply to the cards issued by Discover and UnionPay, which use a protocol similar to Visa's.

The method the researchers used was to develop an Android application to read data from the credit card chip and exchange information with payment terminals and install it on two NFC-enabled mobile phones.

To obtain funds the first mobile phone is used to scan the credit card details and transfer it to a second phone. The second phone is used at the same time to debit an amount at the checkout – as is often done – while buying an item below the PIN security limit. As the app declares the customer is the authorised user of the credit card the vendor approves the fraudulent payment even though the amount being drawn down is over the limit and requires a PIN verification.

Next: Watch the video


Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.