Threat Watch

Flaw in Visa Transaction Process Makes Man-In-The-Middle Attacks Possible

A bypass for PIN authentication processes for Visa contactless transactions has been discovered by Swiss security researchers. A man-in-the-middle attack is possible, and no PIN is necessary due to a flaw in terminal’s communication protocols. An application known as Tamarin was used to test the communication protocols and found a “critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification,” as quoted in the technical report. This issue essentially makes the PIN process worthless. A stolen card could be used to make in-person transactions without a PIN being required.

Subscribe to Threat Watch

Daily summaries of threats, delivered straight to your inbox!


Click Here to Subscribe to Threat Watch

ANALYST NOTES

While an entire update for the EMV structure is not necessary, terminal updates are required to fix the vulnerability. This will take some time though as there are approximately 161 million Point-of-Sale (POS) terminals throughout the world. Visa has been notified about the flaw. Since this attack requires the thief to have physical possession of the payment card, it is important to report lost or stolen cards. Any suspicious card transactions should be reported to the issuing bank immediately.

Source: https://hotforsecurity.bitdefender.com/blog/man-in-the-middle-attack-makes-pins-useless-for-visa-cards-24024.html?&web_view=true

https://arxiv.org/pdf/2006.08249.pdf

Facebook Twitter Instagram Youtube Linkedin
Solutions
Become a Reseller

Industries

Resources

About

Contact Us
Contact Support