A bypass for PIN authentication processes for Visa contactless transactions has been discovered by Swiss security researchers. A man-in-the-middle attack is possible, and no PIN is necessary due to a flaw in terminal’s communication protocols. An application known as Tamarin was used to test the communication protocols and found a “critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification,” as quoted in the technical report. This issue essentially makes the PIN process worthless. A stolen card could be used to make in-person transactions without a PIN being required.
While an entire update for the EMV structure is not necessary, terminal updates are required to fix the vulnerability. This will take some time though as there are approximately 161 million Point-of-Sale (POS) terminals throughout the world. Visa has been notified about the flaw. Since this attack requires the thief to have physical possession of the payment card, it is important to report lost or stolen cards. Any suspicious card transactions should be reported to the issuing bank immediately.