A new type of hack to exploit cash cards has been disclosed by cybersecurity researchers that allow cybercriminals to trick and bypass POS terminals to enable a transaction to use a victim’s Mastercard contactless card functioning as a Visa card.
A group of academic researchers delved into demonstrating a PIN bypass hack that permits threat actors to use a stolen or lost Visa EMV-enabled credit card in making high-value purchases and transactions without knowing the card’s PIN number. They are successful in fooling POS terminals into allowing unauthenticated offline card transactions. This hack is considered having critical consequences as cybercriminals can utilize it in combination with previous attack modus on Visa that will also bypass PIN of Mastercard cards.
Immediately after the disclosure, Mastercard has implemented a defence mechanism at a network level to stop such attacks.
This latest disclosure exploits a severe vulnerability on the widely used EMV contactless technology. This, in a nutshell, is an implementation of a man-in-the-middle attack combined with a relay attack architecture.
Dubbed as a “card brand mixup”, this attack takes advantage of the fact that the application identifier (AIDs) is not authenticated in the payment terminal, thus making the trick possible to deceive a terminal into activating the flawed kernel. By extension, the bank that process payments on behalf of the merchant will accept the contactless transaction with a primary account number (PAN) and application identifier (AID) that indicates different brands of card.
This attack, however, has several prerequisites to be successful. The criminals must have access to the card owned by the victim, aside from modifying the terminal’s commands and the responses of the card before sending them to the corresponding recipient.
Mastercard has added countermeasures, including mandating financial institutions to append the AID of the authorization data, which will help card issuers check the AID value against the PAN.