Man-in-the-Middle Attack Makes PINs Useless for VISA Cards

  • EMV protocol is vulnerable to a
    man-in-the-middle attack
  • All VISA credit cards are affected
  • VISA has to issue update for POS terminals

Swiss security researchers have discovered a way to
bypass the PIN authentication for Visa contactless transactions. A bug in the
communication protocols lets attackers mount a man-in-the-middle attack without
entering the PIN code.

EMV is the protocol used by all the world’s major banks
and financial institutions. Europay, Mastercard and Visa developed the
standard, and it’s been around for more than 20 years. It stands to reason that
EMV is one of the most scrutinized communication protocols, but the Swiss
research shows that any software or hardware can have vulnerabilities.

The most important reason for the widespread adoption of
the EMV protocol has to do “liability shift,” a procedure that ensures that as
long as the customer approves the transaction with a PIN or signature, the
financial institution is not liable.

The researchers used an application named Tamarin,
developed explicitly to probe the security of communication protocols. They
created a working model that covers all the roles in a regular EMV session: the
bank, the card and the terminal.

“Using our model, we identify a critical violation of
authentication properties by the Visa contactless protocol: the cardholder
verification method used in a transaction, if any, is neither authenticated nor
cryptographically protected against modification,” say the researchers in their

“We developed a proof-of-concept Android application that
exploits this to bypass PIN verification by mounting a man-in-the-middle attack
that instructs the terminal that PIN verification is not required because the
cardholder verification was performed on the consumer’s device,” they continue.

Criminals can use a stolen VISA card and pay for goods
without access to the PIN, making the PIN completely worthless. A real-world
scenario tested the Visa Credit, Visa Electron, and VPay cards, and it was
successful. Of course, the attack used a virtual wallet instead of a card, as
the terminal can’t distinguish between a real credit card and a smartphone.

Researchers discovered another issue affecting VISA and
some older models of Martercard cards, in addition to the initial problem.

“The card does not authenticate to the terminal the
Application Cryptogram (AC), which is a card-produced cryptographic proof of
the transaction that the terminal cannot verify (only the card issuer can),”
says the researchers. “This enables criminals to trick the terminal into
accepting an unauthentic offline transaction.”

The only good news delivered by the researchers is that
the fix doesn’t require an update for the EMV standard, only updates for the
terminal. Given that there are about 161 million POS terminals in the entire
world, the updating process will be a long one.