A bypass for PIN authentication processes for Visa contactless transactions has been discovered by Swiss security researchers. A man-in-the-middle attack is possible, and no PIN is necessary due to a flaw in terminal’s communication protocols. An application known as Tamarin was used to test the communication protocols and found a “critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification,” as quoted in the technical report. This issue essentially makes the PIN process worthless. A stolen card could be used to make in-person transactions without a PIN being required.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in