How To Bypass Credit Card Pin A group of researchers from a Swiss university has unveiled a method for bypassing PIN codes on contactless cards issued by Mastercard and Maestro. The security flaw, which has since been patched, had the potential to enable cybercriminals to utilize stolen Mastercard and Maestro cards for high-value transactions without requiring PIN input during contactless payments.
The Attack Overview
Discovered by a team from the Department of Computer Science at ETH Zurich University, this attack exhibited a high level of stealthiness and could have been deployed in real-world scenarios if vulnerabilities in contactless payment protocols were discovered. The attack, often referred to as a Man/Person/Meddler-in-the-Middle (MitM) scenario by security researchers, involved an attacker positioning themselves between a stolen card and a vendor’s Point-of-Sale (PoS) terminal.
Read More : What Is Credit Card Abuse
To execute this attack, the following components were necessary:
- A stolen card
- Two Android smartphones
- A custom Android app capable of manipulating transaction details
Both smartphones would serve as emulators. One would mimic a PoS terminal, positioned close to the stolen card, inducing it to initiate a transaction and share its details. The second smartphone would function as a card emulator, enabling the attacker to feed modified transaction details into an actual PoS terminal located within a store.
From the perspective of the PoS operator, the attack appeared as if a customer was using their mobile payments app. In reality, the attacker was supplying modified transaction details acquired from a stolen card.
Previous Visa PIN Bypass (2020)
This research team employed a similar attack scheme in the previous year when they identified a method to bypass PINs for Visa contactless payments. They successfully intercepted Visa contactless payment details and then manipulated transaction information to convince the PoS terminal that PIN verification and card owner identity confirmation had already occurred on the device. Consequently, the PoS terminal didn’t need to perform these checks.
Although this attack seemed too good to be true, the researchers conducted real-world tests with various Visa cards, including Visa Credit, Visa Debit, Visa Electron, and V Pay cards, completing transactions exceeding the Swiss banks’ PIN requirement limit of 200 Swiss francs.
Mastercard and Maestro PIN Bypass (2021)
Building on their earlier findings, the ETH Zurich team continued their research, focusing on bypassing PINs for other types of cards that didn’t use the Visa contactless payments protocol. In their research paper published in February and presented at the USENIX security conference, they identified a similar vulnerability in contactless payments made with Mastercard and Maestro cards.
In this attack, instead of falsely confirming PIN verification, the researchers tricked the PoS terminal into believing that the incoming transaction originated from a Visa card, not Mastercard/Maestro. They accomplished this by modifying the card’s legitimate Application Identifier (AID) with Visa’s AID: A0000000031010. This action activated the PoS terminal’s Visa-specific kernel, which then reached out to the issuing bank for card verification. At this point, the attacker executed the same Visa attack as before, completing a transaction without providing a PIN.
The researchers successfully tested this attack with Mastercard Credit and Maestro cards, processing transactions up to 400 Swiss francs during their research.
A demonstration video of this attack showcased its simplicity and speed, making it nearly impossible for store clerks to distinguish a fraudulent transaction from a legitimate one.
The research team disclosed both PIN bypass methods to Visa and Mastercard, and Mastercard addressed the issue earlier this year. However, it appears that Visa has not yet resolved the vulnerability, as there was no response to the researchers’ notifications.
To prevent widespread abuse of this technique, the research team has opted not to release their Android app that facilitates these attacks.