Visa EMV cards: PIN authorization for NFC payment bypassed

[German]Paying with a Visa credit card via NFC is usually PIN-secured above certain limit. However, researchers have now succeeded in cracking Visa EMC cards via NFC connections, making it possible to make payments without PIN authorization. Here is a brief overview of what is happening.


Advertising

Security researchers from ETH Zurich describe the attack on the EMV payment standard in the document The EMV Standard: Break, Fix, Verify and have demonstrated the whole thing on Visa’s Visa credit cards with NFC pay. 

The EMV Standard

EMV is the worldwide used standard for payment with chip cards. The standard was developed in the mid-1990s and named after its founders Europay, Mastercard and Visa. In December 2019 more than 80% of all card transactions worldwide used EMV, in many European countries even up to 98% were reached. Banks have a strong incentive to introduce EMV because of the shift in liability. If a disputed transaction is authorized by a PIN, the consumer is liable. If a paper signature was used to authorize the transaction, the bank is liable.

In addition to the shift of liability, the global acceptance of EMV cards is also attributed to their claimed security. Unfortunately, security is such a problem, as it has been questioned several times in recent years. There have been Man-in-the-Middle (MITM) attacks, copied EMV cards and other successful attacks. .

Hacking the Visa PIN for NFC payment

David Basin, Ralf Sasse and Jorge Toro from ETH Zurich have now been able to show how easy it is to bypass the PIN request for authorizing NFC payments with Visa cards. As a result, payments above the limit, which requires a PIN for transactions via EMV cards, are possible without entering a PIN. To carry out the attack, the criminals must have access to the EMV card. This can be a stolen or lost EMV card. However, an NFC-capable smartphone could also be used, which is held against the EMV card.

The security researchers describe their attack in addition to the PDF document above in this article on Github. To show how easy it is to exploit the vulnerabilities found, the researchers have developed a proof-of-concept android application. The application implements man-in-the-middle attacks on a relay attack architecture (see the following scheme). The researchers’ Android app requires neither root privileges nor any fancy hacks on Android, and has been successfully deployed on Pixel and Huawei devices.

Attack on VISA EMV cards
(Attack on VISA EMV cards)


Advertising

The outermost devices are the real payment terminal (left) and the victim’s contactless card (right). The phone near the payment terminal is the attacker’s card emulation device and the phone near the victim’s card is the attacker’s POS emulation device. The attacker’s devices communicate with each other via WiFi and with the terminal and card via NFC.

With this constellation, the security researchers were able to authorize payments via NFC without PIN entry, which was above the payment limit above which PIN entry is required (in Switzerland, the current limit is 80 francs). The attack consists of the modification of a card-based data object – the Card Transaction Qualifier – before it is transferred to the terminal. The modification instructs the terminal that:

  • a PIN verification is not required, and
  • the cardholder has been verified on the consumer’s device (e.g. a smartphone)

This attack allows criminals to make purchases beyond the PIN-less limit with a victim’s contactless NFC card without knowing the card’s PIN. The following YouTube video demonstrates this attack. Technical details can be found in the PDF document linked above.

(Source: YouTube)

There would be a simple fix to fix the vulnerability without having to replace the cards. However, the incident shows how insecure the whole payment system is and then liability was shifted unilaterally from the banks to the consumers by assigning a (levered out) PIN.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *