17 Nov Pay without a PIN – researchers crack Visa’s NFC payment function
Researchers at ETH Zurich paid for any expensive products with Visa contactless and without a PIN.
Contactless payment by card only works up to typically 30-50 euros without a PIN. The PIN is normally requested for expensive payment transactions. This should limit the misuse of stolen cards. But researchers at ETH Zurich demonstrated that this PIN query can easily be bypassed, at least with Visa cards. The attack is based on a so-called “man in the middle” (MITM) who latches between the payment terminal and the card and manipulates the transaction. Specifically, this MITM function is taken over by two cell phones that communicate with each other via WLAN and each of which runs an app developed by the researchers. The method is reminiscent of attacks on credit cards previously used by criminals, in which soldered chips took on the role of MITM. The mistake of Visa is that the manipulation of the MITM is not noticed because the changed data is not cryptographically secured. Mastercard obviously does it differently; with their cards, the attacks of the Swiss researchers failed.
Source: Jürgen Schmidt on heise.de