A bypass for PIN authentication processes for Visa contactless transactions has been discovered by Swiss security researchers. A man-in-the-middle attack is possible, and no PIN is necessary due to a flaw in terminal’s communication protocols. An application known as Tamarin was used to test the communication protocols and found a “critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification,” as quoted in the technical report. This issue essentially makes the PIN process worthless. A stolen card could be used to make in-person transactions without a PIN being required.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.