Researchers develop an Android App which makes PIN useless in VISA cards using Man-in-the-Middle attack


Swiss researchers develop an Android App to launch a Man-in-the-Middle (MitM) attack for making transactions using VISA Cards bypassing PINs

Swiss security researchers have discovered a way to bypass the PIN authentication for Visa contactless transactions using a man-in-the-middle (MitM) attack technique. They have developed an Android App which exploits the bug in the contactless communication protocol between the VISA PoS and the VISA card. The bug allows any hacker to transact using a VISA Card through a man-in-the-middle attack without entering the PIN code.

Almost all cards like VISA, Mastercard, Europay, or cards issued by major banks and financial institutions use EMV protocol. Due to the “liability shift” policy that ensures that as long as the customer approves the transaction with a PIN or signature, the financial institution is not liable, EMV has become the most used protocol for credit and debit cards.

However, the Swiss research team consisting of David Basin, Ralf Sasse, and Jorge Toro-Pozo from the Department of Computer Science, ETH Zurich discovered a way to exploit this very protocol. They developed an application called Tamarin to scan the EMV protocol for vulnerabilities. Using Tamerin they found that they could exploit the communication between the CARD and the PoS terminal completely bypassing the need for PIN.

“Using our model, we identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification”

ETH researchers

To exploit this vulnerability, the ETH researchers developed an Android App. The researchers say that this proof-of-concept Android application exploits the EMV protocol and bypasses PIN verification. It works by mounting a man-in-the-middle (MitM) attack that instructs the VISA terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device. The researchers successfully tested out their PoC App against real-word PoS terminals by using different Visa-branded cards such as Visa Credit, Visa Electron, and VPay cards.

The researchers say that cybercriminals and hackers could use this vulnerability in the real-world to rack up huge bills using stolen VISA branded debit/credit cards completely bypassing the need for the PIN.

The researchers also found another cybersecurity vulnerability afflicting VISA and some older models of Mastercard cards.

The researchers added that both the vulnerabilities can be fixed by patching the PoS terminals. The bad news is that there are nearly 150 million PoS terminals throughout the world.

You can read about the ETH Zurich research here.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments