Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victim’s Mastercard contactless card while believing it to be a Visa card.
The research, published by a group of academics from ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a victim’s stolen or lost Visa EMV-enabled credit card for making high-value purchases without knowledge of the card’s PIN, and even fool the terminal into accepting unauthentic offline card transactions.
“This is not just a mere card brand mixup but it has critical consequences,” researchers David Basin, Ralf Sasse, and Jorge Toro said. “For example, criminals can use it in combination with the previous attack on Visa to also bypass the PIN for Mastercard cards. The cards of this brand were previously presumed protected by PIN.”
Following responsible disclosure, ETH Zurich researchers said Mastercard implemented defense mechanisms at the network level to thwart such attacks. The findings will be presented at the 30th USENIX Security Symposium in August later this year.
A Card Brand Mixup Attack
Just like the previous attack involving Visa cards, the latest research too exploits “serious” vulnerabilities in the widely used EMV contactless protocol, only this time the target is a Mastercard card.
At a high level, this is achieved using an Android application that implements a man-in-the-middle (MitM) attack atop a relay attack architecture, thereby allowing the app to not only initiate messages between the two ends — the terminal and the card — but also to intercept and manipulate the NFC (or Wi-Fi) communications to maliciously introduce a mismatch between the card brand and the payment network.
Put differently, if the card issued is Visa or Mastercard branded, then the authorization request needed for facilitating EMV transactions is routed to the respective payment network. The payment terminal recognizes the brand using a combination of what’s called a primary account number (PAN, also known as the card number) and an application identifier (AID) that uniquely identifies the type of card (e.g., Mastercard Maestro or Visa Electron), and subsequently makes use of the latter to activate a specific kernel for the transaction.
An EMV Kernel is a set of functions that provides all the necessary processing logic and data that is required to perform an EMV contact or contactless transaction.
The attack, dubbed “card brand mixup,” takes advantage of the fact that these AIDs are not authenticated to the payment terminal, thus making it possible to deceive a terminal into activating a flawed kernel, and by extension, the bank that processes payments on behalf of the merchant, into accepting contactless transactions with a PAN and an AID that indicate different card brands.
“The attacker then simultaneously performs a Visa transaction with the terminal and a Mastercard transaction with the card,” the researchers outlined.
The attack, however, necessitates that it meets a number of prerequisites in order to be successful. Notably, the criminals must have access to the victim’s card, besides being able to modify the terminal’s commands and the card’s responses before delivering them to the corresponding recipient. What it doesn’t require is the need to have root privileges or exploit flaws in Android so as to use the proof-of-concept (PoC) application.
But the researchers note a second shortcoming in the EMV contactless protocol could let an attacker “build all necessary responses specified by the Visa protocol from the ones obtained from a non-Visa card, including the cryptographic proofs needed for the card issuer to authorize the transaction.”
Mastercard Adds Countermeasures
Using the PoC Android app, ETH Zurich researchers said they were able to bypass PIN verification for transactions with Mastercard credit and debit cards, including two Maestro debit and two Mastercard credit cards, all issued by different banks, with one of the transactions exceeding $400.
In response to the findings, Mastercard has added a number of countermeasures, including mandating financial institutions to include the AID in the authorization data, allowing card issuers to check the AID against the PAN.
Additionally, the payment network has rolled out checks for other data points present in the authorization request that could be used to identify an attack of this kind, thereby declining a fraudulent transaction right at the outset.