Scientists discovered a flaw in the security system of some credit cards

Outsmarting the PIN code.


The contactless credit cards are a fast and convenient way to pay for everyday purchases. You need to tap your card on a POS machine to make a contactless payment.

Small amounts can be charged quickly and easily at the till, and the cards are considered safe because a security code is required to debit large sums.

Most of these transactions are based on the EMV standard, which applies to over nine billion cards worldwide. Although it has been revised several times since then, the complex set of rules has several vulnerabilities that can be exploited.

With other security authorities already discovering errors in the standard, scientists at ETH Zurich have now announced an additional, serious security loophole.

As an initial step, Professor of Information Security David Basin collaborated with Ralf Sasse, a senior researcher in the Department of Computer Science, and Jorge Toro Pozo, a postdoc in Basin’s gathering, to design a purpose-built model so they could investigate the central elements of the EMV standard. They found a critical gap in a protocol used by credit card company Visa.

This vulnerability enables fraudsters to obtain funds from cards that have been lost or stolen, although the amounts are supposed to be validated by entering a PIN code.

This vulnerability empowers fraudsters to acquire assets from cards that have been lost or stolen, even though the amounts should be approved by entering a PIN code. Toro puts it basically: “To all expectations and purposes, the PIN code is ineffectual here.”

Other companies, such as Mastercard, American Express, and JCB, don’t use the same Visa protocol, so these cards are not affected by the security loophole. However, the flaw may also apply to the cards issued by Discover and UnionPay, which use a protocol similar to Visa’s.

Analysts had the option to exhibit that it is conceivable to exploit the vulnerability in practice, even though it is a genuinely unpredictable cycle. They originally built up an Android application and installed it on two NFC-enabled cell phones. This permitted the two devices to peruse information from the credit card chip and trade data with payment terminals. Unexpectedly, the analysts didn’t need to sidestep any special security features in the Android working framework to install the app.

The primary cell phone is utilized to scan the vital information from the charge card and move it to the second phone to get unapproved funds from a third-party credit card. The subsequent phone is then used to debit the amount at the checkout, the same number of cardholders do these days. As the application declares that the client is the credit card’s authorized user, the vendor doesn’t understand that the transaction is fraudulent. The pivotal factor is that the app outmaneuvers the card’s security system. Even though the sum is over the limit and requires PIN confirmation, no code is requested.

Using their credit cards at various points of sale, the researchers were able to show that the fraud scheme works. 

Toro says, “The scam works with debit and credit cards issued in different countries in various currencies.”

Scientists have already alerted Visa to the vulnerability, at the same time proposing a specific solution.

Toro explains“Three changes should be made to the protocol, which could then be installed in the payment terminals with the next software update. It could be done with minimum effort. There is no need to replace the cards, and all changes comply with the EMV standard.”

Journal Reference:
  1. Basin et al. The EMV Standard: Break, Fix, Verify. arXiv:2006.08249 [cs.CR]
Latest Updates