14 DAY TRIAL // Contacless Mastercard and Maestro PINs can be bypasses due to a new vulnerability discovered by Swiss College of Engineering in Zurich, according to Cybersecurity News.
The key aspect of the flaw is that it allows thieves to use a hacked Mastercard or Maestro card to make contactless payments without having to input the PIN to complete the transaction, if properly exploited.
Properly in this case entails first installing dedicated software on two Android smartphones. One device is used to simulate a point of sale terminal being installed, while the other acts as a card emulator that allows the modified transaction information to be transmitted to a real point-of-sale device. Once the card initiates a transaction, it reveals all related information.
To avert further attacks, security experts will not reveal the app in question
Experts from ETH Zurich confirmed that this is an isolated attack, but that can easily be exploited in real life as more loopholes in contactless payment methods are uncovered. In the past, the same team managed to successfully bypass Visa's contactless payment PINs, an experiment that is described in detail in the "The EMV Standard: Break, Fix, Verify" research paper.
The current experiment focused on PIN bypassing on cards that are not used for Visa's contactless payment protocol, but using the same strategy and known vulnerabilities. The team was able to intercept Visa's contactless payment specifications and transfer the transaction aspects into a real point-of-sale terminal that was already verified and confirmed the PIN along with the card purchaser's identification, so the PoS didn't need to perform further checks.
Regardless of whether it was Visa, Mastercard or Maestro, ETH managed to successfully carry out the experiment, which is not exactly what the millions of contactless card users out there want to hear. Due to the seriousness of the issue and its potential consequences, the researchers did not reveal the names of the apps used.