In Contactless Cards Mastercard And Maestro Found A Way To Bypass The Pin Code

[✨ Megiddo]

Researchers at the Swiss Higher Technical School of Zurich have found a way to bypass PIN protection on Mastercard and Maestro contactless cards. At the moment, the vulnerability has already been fixed.

A loophole identified by experts allowed attackers to use stolen bank cards for large purchases without having to enter a PIN code for contactless payments.

Worst of all, the scenario described by the researchers can be reproduced in a real situation, moreover, the attack is extremely invisible. Experts even fear that new bugs of this kind will lead to their mass exploitation.

To carry out such an attack, an attacker would have to "wedge" between a stolen card and a payment terminal (PoS). In fact, this is the same Man-in-the-Middle (MitM), only in a slightly different interpretation. The offender in this case will need:

• stolen bank card;

• two smartphones on Android;

• a custom Android application that can interact with transaction fields.

This application, which needs to be installed on both smartphones, will work as emulators. The attacker places one of the devices next to the stolen card - it will emulate a PoS terminal: initiate a transaction by deception and pull out the card data.

The second smartphone at this time will act as a card emulator and transmit transaction data to the real terminal. Thus, for the seller, everything will look as if a regular customer pays using a mobile device. Who are you going to surprise with this now?

The technical details of the specialists' method can be found in their report .
__________________