Cybercriminals have recently figured out a technique through which point of sale (POS) terminals can be manipulated to fake the card payments by swapping the contactless Mastercard of the victim contactless while believing it to be a Visa card in a transaction.

A Cybersecurity Researcher brought this to everyone's attention while publishing the entire research by a group of academics from the ETH Zurich, develops on a study detailed last September that delved into a PIN bypass attack, allowing threat actors to leverage a stolen or lost Visa EMV-enabled credit card of victims for making high-value purchases without letting them know of the card's PIN, and even trick the terminal into accepting unauthentic offline card transactions.

"This is not just a mere card brand mixup but it has critical consequences," researchers David Basin, Ralf Sasse, and Jorge Toro said. "For example, criminals can use it in combination with the previous attack on Visa to also bypass the PIN for Mastercard cards. The cards of this brand were previously presumed protected by a PIN."

After gaining a lot of traction this revelation also encountered contradictory remarks, following that ETH Zurich researchers stated that to counter such unprecedented attacks Mastercard already implemented sophisticated defense mechanisms at the network level to thwart such attacks. The results will be exemplified at the 30th USENIX Security Symposium in August later this year.

Cards have often been a suitable target for cybercriminals for exploiting, however, this time around unlike previous attacks where the involvement of VISA cards was pretty common the latest research to exploits "serious" vulnerabilities in the widely used EMV contactless protocol, only this time the target is a Mastercard card.

Now as a matter of fact this can be done only extending at a high level using an Android application that implements a man-in-the-middle (MitM) attack atop a relay attack architecture, thereby allowing the app to not only initiate messages between the two ends — the terminal and the card — but also to intercept and manipulate the NFC (or Wi-Fi) communications to maliciously introduce a mismatch between the card brand and the payment network.

However, Visa or Mastercard branded cards are issued, then the authorization request needed for facilitating EMV transactions is routed to the respective payment network. The payment terminal recognizes the brand using a combination of what's called a primary account number (PAN, also known as the card number) and an application identifier (AID) that uniquely identifies the type of card (e.g., Mastercard Maestro or Visa Electron), and subsequently makes use of the latter to activate a specific kernel for the transaction.

"An EMV Kernel is a set of functions that provides all the necessary processing logic and data that is required to perform an EMV contact or contactless transaction."

This is dubbed as "card brand mixup," which brings the advantage of fact that these AIDs are not authenticated to the payment terminal, thus making it possible to deceive a terminal into activating a flawed kernel, and by extension, the bank that processes payments on behalf of the merchant, into accepting contactless transactions with a PAN and an AID that indicate different card brands.

"The attacker then simultaneously performs a Visa transaction with the terminal and a Mastercard transaction with the card," the researchers outlined.

But, necessitates that it meets several prerequisites to be successful. Notably, the criminals must have access to the victim's card, besides being able to modify the terminal's commands and the card's responses before delivering them to the corresponding recipient. What it doesn't require is the need to have root privileges or exploit flaws in Android to use the proof-of-concept (POC) application.

Now the researchers are on the verge of identifying second loopholes in the EMV contactless protocol that could let an attacker "build all necessary responses specified by the Visa protocol from the ones obtained from a non-Visa card, including the cryptographic proofs needed for the card issuer to authorize the transaction."

ETH Zurich researchers while leveraging the PoC Android app said they were able to bypass PIN verification for transactions with Mastercard credit and debit cards, including two Maestro debit and two Mastercard credit cards, all issued by different banks, with one of the transactions exceeding $400.

And in response to the above findings, Mastercard has rolled out a couple of countermeasures, including mandating financial institutions to include the AID in the authorization data, allowing card issuers to check the AID against the PAN.

Additionally, the payment network has rolled out checks for other data points present in the authorization request that could be used to identify an attack of this kind, thereby declining a fraudulent transaction right at the outset.

Source: The Hacker News