Skip to main content

BEWARE ATM CARD USERS. New PIN Verification Bypass Flaw Affects Visa Contactless Transactions.


visa

Even as Visa issued a warning about a new JavaScript web skimmer known as Baka, cybersecurity researchers have uncovered a new flaw in the company's EMV enabled cards that enable cybercriminals to obtain funds and defraud cardholders as well as merchants illicitly.

The research, published by a group of academics from the ETH Zurich, is a PIN bypass attack that allows the adversaries to leverage a victim's stolen or lost credit card for making high-value purchases without knowledge of the card's PIN, and even trick a point of sale (PoS) terminal into accepting an unauthentic offline card transaction.

All modern contactless cards that make use of the Visa protocol, including Visa Credit, Visa Debit, Visa Electron, and V Pay cards, are affected by the security flaw, but the researchers posited it could apply to EMV protocols implemented by Discover and UnionPay as well. The loophole, however, doesn't impact Mastercard, American Express, and JCB.

The findings will be presented at the 42nd IEEE Symposium on Security and Privacy to be held in San Francisco next May.

Modifying Card Transaction Qualifiers Via MitM Attack


EMV (short for Europay, Mastercard, and Visa), the widely used international protocol standard for smartcard payment, necessitates that larger amounts can only be debited from credit cards with a PIN code.


But the setup devised by ETH researchers exploits a critical flaw in the protocol to mount a man-in-the-middle (MitM) attack via an Android app that "instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer's device."

The issue stems from the fact the Cardholder verification method (CVM), which is used to verify whether an individual attempting a transaction with a credit or debit card is the legitimate cardholder, is not cryptographically protected from modification.


As a result, the Card Transaction Qualifiers (CTQ) used to determine what CVM check, if any, is required for the transaction can be modified to inform the PoS terminal to override the PIN verification and that the verification was carried out using the cardholder's device such as a smartwatch or smartphone (called Consumer Device Cardholder Verification Method or CDCVM).

Exploiting Offline Transactions Without Being Charged.


Furthermore, the researchers uncovered a second vulnerability, which involves offline contactless transactions carried out by either a Visa or an old Mastercard card, allowing the attacker to alter a specific piece of data called "Application Cryptogram" (AC) before it is delivered to the terminal.

Offline cards are typically used to directly pay for goods and services from a cardholder's bank account without requiring a PIN number. But since these transactions are not connected to an online system, there is a delay of 24 to 72 hours before the bank confirms the transaction's legitimacy using the cryptogram, and the amount of the purchase is debited from the account.

A criminal can leverage this delayed processing mechanism to use their card to complete a low-value and offline transaction without being charged, in addition to making away with purchases by the time the issuing bank declines the transaction due to the wrong cryptogram.

"This constitutes a 'free lunch' attack in that the criminal can purchase low-value goods or services without actually being charged at all," the researchers said, adding the low-value nature of these transactions is unlikely to be an "attractive business model for criminals."

Mitigating PIN bypass and offline attacks.


Aside from notifying Visa of the flaws, the researchers have also proposed three software fixes to the protocol to prevent PIN bypass and offline attacks, including using Dynamic Data Authentication (DDA) to secure high-value online transactions and requiring the use of online cryptogram in all PoS terminals, which causes offline transactions to be processed online.

"Our attack show[ed] that the PIN is useless for Visa contactless transactions [and] revealed surprising differences between the security of the contactless payment protocols of Mastercard and Visa, showing that Mastercard is more secure than Visa," the researchers concluded. "These flaws violate fundamental security properties such as authentication and other guarantees about accepted transactions."




THN



#osutayusuf

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.