Scientists have discovered a glaring weakness in the Visa implementation of the EMV Contactless specification. The weakness allows fraudsters to bypass the need to enter a correct PIN on a lost or stolen card. The same weakness was not discovered in the Mastercard, American Express, or JCB implementations, which were also tested by the researchers. The scientists suggested a “simple fix” which requires that POS software be updated, which in real life is rarely simple.
An article from Tech Explorist covers the topic further:
“This vulnerability enables fraudsters to obtain funds from cards that have been lost or stolen, although the amounts are supposed to be validated by entering a PIN code.
This vulnerability empowers fraudsters to acquire assets from cards that have been lost or stolen, even though the amounts should be approved by entering a PIN code. Toro puts it basically: “To all expectations and purposes, the PIN code is ineffectual here.”
Other companies, such as Mastercard, American Express, and JCB, don’t use the same Visa protocol, so these cards are not affected by the security loophole. However, the flaw may also apply to the cards issued by Discover and UnionPay, which use a protocol similar to Visa’s.
Analysts had the option to exhibit that it is conceivable to exploit the vulnerability in practice, even though it is a genuinely unpredictable cycle. They originally built up an Android application and installed it on two NFC-enabled cell phones. This permitted the two devices to peruse information from the credit card chip and trade data with payment terminals. Unexpectedly, the analysts didn’t need to sidestep any special security features in the Android working framework to install the app.
The primary cell phone is utilized to scan the vital information from the charge card and move it to the second phone to get unapproved funds from a third-party credit card. The subsequent phone is then used to debit the amount at the checkout, the same number of cardholders do these days. As the application declares that the client is the credit card’s authorized user, the vendor doesn’t understand that the transaction is fraudulent. The pivotal factor is that the app outmaneuvers the card’s security system. Even though the sum is over the limit and requires PIN confirmation, no code is requested.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group