EMV Contactless Payment Card Flaw Facilitates PIN Bypass:
A "critical" flaw in how contactless cards from Visa - and potentially other issuers - have implemented the EMV protocol can be abused to launch a "PIN bypass attack," researchers warn. But Visa says the exploits would be "impractical for fraudsters to employ" in real-world attacks.
A team of security researchers from the Department of Computer Science at Zurich's Swiss Federal Institute of Technology, aka ETH Zurich, say they have identified a flaw in the EMV - for Europay, Mastercard and Visa - protocol used by contactless payment cards, that can be exploited by an attacker to bypass having to use a PIN code to complete a high-value transaction.
[...] The flaw found by the researchers can be used for "a PIN bypass attack for transactions that are presumably protected by cardholder verification, typically those whose amount is above a local PIN-less upper limit," they say. This upper limit varies by country, but is currently 80 Swiss francs ($87.30) in Switzerland, £45 ($59.30) in the U.K. and €50 ($59) in France. Those upper limits had been raised earlier this year, partly in response to the ongoing COVID-19 pandemic and many consumers preferring contactless payments to using cash.
Due to the flaw, however, attackers could render those upper limits moot. "This means that your PIN won't prevent criminals from using your Visa contactless card to pay for their transaction, even if the amount is above the mentioned limit," the researchers say. "To carry out the attack, the criminals must have access to your card, either by stealing it [or] finding it if lost, or by holding an NFC-enabled phone near it."
The researchers notified Visa about the flaws as well as recommended mitigations. Officials at the card brand say they're aware of the research, but see the flaws posing little if any real threat to cardholders or issuers.
[...] The ETH Zurich researchers have created a proof-of-concept Android app to demonstrate how the flaw could be exploited in the wild. "Our app implements man-in-the-middle (MITM) attacks on top of a relay attack architecture," they say. "The MITM attacks modify the terminal's commands and the card's responses before delivering them to the corresponding recipient."
[...] The researchers tested their findings by making purchases in brick-and-mortar stores, using their own credit and debit cards.
"For example, we performed a transaction of [about] $190 in an attended terminal in an actual store. As it is now common for consumers to pay with their smartphones, the cashier cannot distinguish the attacker's actions from those of any legitimate cardholder," the researchers say.
"Our attack shows that the PIN is useless for Visa contactless transactions. As a result, in our view, the liability shift from banks to consumers or merchants is unjustified for such transactions; Banks, EMVCo, Visa or some entity other than the consumer or merchant should be liable for such fraudulent transactions," the researchers say.
(Score: 0) by Anonymous Coward on Thursday September 10 2020, @01:46PM (8 children)
Or, just use a USA based credit card and bypass PIN altogether. Signature verification, you say? Who even checks signatures any more!
(Score: 2) by hendrikboom on Thursday September 10 2020, @02:24PM (7 children)
They do get checked when a fraud is reported.
Happened to me. A lost card was used before I noticed it was missing.
Mastercard requested the actual sales slip.
Sure enough, the signature didn't match and the charge was cancelled.
I think the store was left with the loss, because the cashier hadn't checked the signature.
-- hendrik
(Score: 2) by sjames on Thursday September 10 2020, @03:36PM (6 children)
I'm guessing that neither Visa nor the merchant hired an expert to examine the signature (at about $10,000 each signature), making the determination about as valid as a tax accountant squinting at a supposed Picasso and saying "looks legit"...
(Score: 2) by hendrikboom on Thursday September 10 2020, @05:55PM (5 children)
They told me the signature was completely different.
I conclude that no attempt was made to forge my signature, nor to check it.
Until I complained, of course.
-- hendrik
(Score: 0) by Anonymous Coward on Thursday September 10 2020, @06:45PM (2 children)
Whenever I sign for something, using the terminals with the "pen" as a pointer, the best I can do is scribble something that is NO WHERE CLOSE to my signature. Any comparison to a signature would fail - even when I'm signing. The entire signature process is fundamentally broken.
(Score: 2) by sjames on Thursday September 10 2020, @07:25PM
Same here. The surface is so slippery that an ordinary pen or pencil wouldn't even write on it.
(Score: 0) by Anonymous Coward on Friday September 11 2020, @01:57PM
Most processors don't even want signatures any more.
(Score: 2) by sjames on Thursday September 10 2020, @07:35PM (1 child)
It's certainly not your fault or your problem, but put another way: "In a move that surprises nobody, the credit card company announces that it's fully satisfied with it's conclusion that literally everyone is more responsible for eating the cost of the fraud than they are. Film at 11".
(Score: 2) by hendrikboom on Friday September 11 2020, @01:30PM
In this case, it was clearly the store clerk that failed to compare the signature on the card with the signature on the credit slip. They were not similar at all.
Doesn't sound like the credit card company should be held holding the bag on this one.
Other cases are, of course, other cases.
-- hendrik
(Score: 2) by pkrasimirov on Thursday September 10 2020, @02:09PM (6 children)
I have to has a daily and weekly limit for card operations in my bank. I keep these pretty low and only increase them if I have to pay for something big, then bring them back down.
(Score: 2) by pkrasimirov on Thursday September 10 2020, @02:10PM
"I have to has" --> "I have to have"
duh
(Score: 4, Interesting) by JoeMerchant on Thursday September 10 2020, @02:37PM (4 children)
Have these limits ever helped you?
We had a $10K credit limit (total- no time limit) on our card, then we went to do a home remodel and ran it up over $14K before we thought about it... called the bank: "Oh, yes, we see you're over the limit by quite a bit... since it's your first over limit in forever we'll waive the penalty fee." Apparently, that credit limit is just another way for them to charge you fees, not to actually stop identity thieves from running up crazy debt on your account.
🌻🌻🌻 [google.com]
(Score: 2) by pkrasimirov on Thursday September 10 2020, @03:20PM (3 children)
You misunderstood me. I have limits enforced by the bank, not the credit card company. My bank even calls me to confirm it was me if I witdraw big amounts of money abroad.
The credit card company will happily tax me for anything and even apply interest on top if they can.
(Score: 0) by Anonymous Coward on Thursday September 10 2020, @06:27PM (2 children)
I use a phone to perform cardless withdrawal from ATMs, low limits help but raising the limits features only a marginal safety level increase than the withdrawal itself.
(Score: 2) by hendrikboom on Friday September 11 2020, @01:32PM (1 child)
I didn't know that was possible.
-- hendrik
(Score: 0) by Anonymous Coward on Friday September 11 2020, @02:05PM
It's probably not, for you. Only a few banks have really focused on adding features to their phone apps, it will probably be some years before it's common.
(Score: 0) by Anonymous Coward on Thursday September 10 2020, @02:28PM (1 child)
As long as this isn't fixed, they will continue with:
(Score: 2) by JoeMerchant on Thursday September 10 2020, @02:40PM
You have to understand, they process millions of dollars per hour in transactions. A few people per year experiencing identity theft, with the ensuing credit rating destruction, eviction from their apartment, loss of job, health crash and death... well, that's just insignificant in the bigger picture.
🌻🌻🌻 [google.com]
(Score: 3, Interesting) by JoeMerchant on Thursday September 10 2020, @02:34PM (4 children)
Gas pumps ask your billing address zipcode. I tapped in the wrong (by a wide margin) zipcode once and hit enter before I realized my mistake: transaction approved, never questioned. Apparently that particular security step isn't always "active."
🌻🌻🌻 [google.com]
(Score: 2) by hopp on Thursday September 10 2020, @04:16PM (3 children)
It's for a lower processing rate for the store. A matching zip is worth a few cents off on the processing fee.
Same for street address and security code on the back.
(Score: 2) by JoeMerchant on Thursday September 10 2020, @04:54PM (2 children)
Where's my extra cash back? I mean, I think I already get like $0.035 per dollar (not gallon!) back on the CC when used at gas stations - if I'm giving them a better rate by catching COVID from the keypad to tap in my zipcode, I should get some of that action too!
🌻🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Thursday September 10 2020, @06:48PM (1 child)
Like when you self-checkout at the grocery store (or many other stores today)? Is any business giving discounts to customers when customers save the business money?
(Score: 0) by Anonymous Coward on Friday September 11 2020, @02:08PM
I will gladly pay not to have to deal with some stoned teenagers who were never properly trained to bag crushing my eggs and mixing up refrigerated goods with non-refrigerated.
(Score: 2) by ikanreed on Thursday September 10 2020, @02:44PM (3 children)
Why don't they just demand all transaction packets have an additional layer of single-key encryption using the pin before the full crypto carrier protocol is deployed?
The software implementation of that seems trivial, and impossible to bypass.
(Score: 2) by pkrasimirov on Thursday September 10 2020, @03:24PM (1 child)
I am suspecting the problem here is not a technical one.
(Score: 2) by ikanreed on Thursday September 10 2020, @03:39PM
But it literally is. They spoof the transmissions of the card to the PoS device and the underlying algorithm accepts some transaction verification message that it shouldn't. If the remote side would never approve the transaction without the pin being used, it is impossible to bypass the pin.
(Score: 5, Insightful) by JoeMerchant on Thursday September 10 2020, @03:38PM
Have you met the people who implement financial transaction software?
I don't know about the broader industry, but I interviewed with a local shop that specializes in POS terminal software. I sought them out because a) I was unemployed, and b) they had previously advertised that they use Qt/C++ in their software development - I had just recently become proficient in Qt and had 15 years of C++ experience, so I though it might be a good fit.
Turns out, my skills were an excellent fit - the problem was: with 15 years C++ dev experience, I was previously earning double what the software manager at the financial transaction software house earned, and he made roughly double what most of his programmers did. So, if I were to work for them, we'd have to sell the house, move into a tiny apartment, probably sell the cars and start taking the bus, give up the idea of health insurance, etc.
It was located in a University town, so they would get kids in school working a few months, maybe two years tops before they'd move on to "real" jobs. When I interact with POS terminals, I often see this level of professionalism clearly visible in the GUI of the end product. One can only imagine how craptastic the back end code is. From the outside, ATM software doesn't look any better.
🌻🌻🌻 [google.com]
(Score: 2) by sjames on Thursday September 10 2020, @03:39PM (2 children)
Says the company that doesn't want to be liable for the bogus charges.
I am typically skeptical of wild security claims, but considering they report actually managing the attack in a real-world situation, I find their claim more believable than Visa's.
(Score: 2) by Runaway1956 on Thursday September 10 2020, @06:00PM (1 child)
What, exactly, does "impractical" mean, anyway? "A legitimate business wouldn't find it cost effective to spend the time, money, and other resources to exploit this flaw" is not the same thing as "some random hacker with nothing else to do could never make this work".
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by sjames on Thursday September 10 2020, @07:22PM
Of course both are distinct from someone using other people's credit cards to buy an instant fraud kit on the dark web and then running the provided software with the simple to use GUI.