Man-in-the-Middle Attack Makes PINs Useless for VISA Cards

• EMV protocol is vulnerable to a man-in-the-middle attack
• All VISA credit cards are affected
• VISA has to issue update for POS terminals

Swiss security researchers have discovered a way to bypass the PIN authentication for Visa contactless transactions. A bug in the communication protocols lets attackers mount a man-in-the-middle attack without entering the PIN code.

EMV is the protocol used by all the world”s major banks and financial institutions. Europay, Mastercard and Visa developed the standard, and it”s been around for more than 20 years. It stands to reason that EMV is one of the most scrutinized communication protocols, but the Swiss research shows that any software or hardware can have vulnerabilities.

The most important reason for the widespread adoption of the EMV protocol has to do “liability shift,” a procedure that ensures that as long as the customer approves the transaction with a PIN or signature, the financial institution is not liable.

The researchers used an application named Tamarin, developed explicitly to probe the security of communication protocols. They created a working model that covers all the roles in a regular EMV session: the bank, the card and the terminal.

“Using our model, we identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification,” say the researchers in their paper.

“We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer”s device,” they continue.

Criminals can use a stolen VISA card and pay for goods without access to the PIN, making the PIN completely worthless. A real-world scenario tested the Visa Credit, Visa Electron, and VPay cards, and it was successful. Of course, the attack used a virtual wallet instead of a card, as the terminal can”t distinguish between a real credit card and a smartphone.

Researchers discovered another issue affecting VISA and some older models of Martercard cards, in addition to the initial problem.

“The card does not authenticate to the terminal the Application Cryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can),” says the researchers. “This enables criminals to trick the terminal into accepting an unauthentic offline transaction.”

The only good news delivered by the researchers is that the fix doesn”t require an update for the EMV standard, only updates for the terminal. Given that there are about 161 million POS terminals in the entire world, the updating process will be a long one.