EMV Contactless Payment Card Flaw Facilitates PIN Bypass
upstart writes in with an IRC submission:
EMV Contactless Payment Card Flaw Facilitates PIN Bypass:
A "critical" flaw in how contactless cards from Visa - and potentially other issuers - have implemented the EMV protocol can be abused to launch a "PIN bypass attack," researchers warn. But Visa says the exploits would be "impractical for fraudsters to employ" in real-world attacks.
A team of security researchers from the Department of Computer Science at Zurich's Swiss Federal Institute of Technology, aka ETH Zurich, say they have identified a flaw in the EMV - for Europay, Mastercard and Visa - protocol used by contactless payment cards, that can be exploited by an attacker to bypass having to use a PIN code to complete a high-value transaction.
[...] The flaw found by the researchers can be used for "a PIN bypass attack for transactions that are presumably protected by cardholder verification, typically those whose amount is above a local PIN-less upper limit," they say. This upper limit varies by country, but is currently 80 Swiss francs ($87.30) in Switzerland, 45 ($59.30) in the U.K. and 50 ($59) in France. Those upper limits had been raised earlier this year, partly in response to the ongoing COVID-19 pandemic and many consumers preferring contactless payments to using cash.
Due to the flaw, however, attackers could render those upper limits moot. "This means that your PIN won't prevent criminals from using your Visa contactless card to pay for their transaction, even if the amount is above the mentioned limit," the researchers say. "To carry out the attack, the criminals must have access to your card, either by stealing it [or] finding it if lost, or by holding an NFC-enabled phone near it."
The researchers notified Visa about the flaws as well as recommended mitigations. Officials at the card brand say they're aware of the research, but see the flaws posing little if any real threat to cardholders or issuers.
Read more of this story at SoylentNews.