Researchers at the Swiss Federal Institute of Technology in Zurich (ETH Zurich) reported a way to bypass Mastercard credit and debit card authorization which would allow anyone to make contactless large-sum transactions without knowing the card’s PIN.
The vulnerability dubbed “Card Brand Mixup” has been found and researched by David Basin, Ralf Sasse, and Jorge Toro-Pozo from the Department of Computer Science at ETH Zurich. They published their finding in a paper available online and will later present them during the 30th USENIX security symposium in August.
A credit card’s PIN code is usually required at POS terminals when paying large sums. Most of such transactions and over nine billion cards worldwide rely on the EMV contactless protocol developed in the 1990s by Europay, Mastercard, and Visa.
Normally, during a contactless transaction, the merchant’s POS terminal sends an authorization request to the card issuer over a payment network, typically operated by the company that brands the card – Visa or Mastercard.
The researchers managed to create a mismatch between the card brand and the payment network which can result in the worst-case scenario – a criminal using a stolen card to pay for goods without knowing the card’s PIN.
Researchers used a “man-in-the-middle” attack in which the communication between the card and the POS terminal is intercepted and manipulated without alerting the security solutions, inducing them to error. For this, they developed a special mobile application. The trick was to make the terminal believe that the card being used is a Visa card. Because then a criminal could apply the recent PIN bypass attack on Visa about which the same team of researchers at ETH Zurich had reported last year. This is possible because the application identifiers (AIDs) are not authenticated to the payment terminal, the researchers explain.
“This is not just a mere card brand mixup but it has critical consequences. Criminals can use it in combination with the previous attack on Visa to also bypass the PIN for Mastercard cards.”
The video demonstration of bypassing a MasterCard’s PIN is available on Youtube.
Following the vulnerability disclosure, Mastercard implemented defense mechanisms at the network level to prevent such misuse of their cards, ETH Zurich researchers said. Now financial institutions must include the AID in the authorization data, allowing card issuers to check the AID against the card number.