Date: 2020-09-08
Author: Martin Scholz, Versasec R&D Manager

Previous << NIST ZTA

Using strong authentication, two-factor authentication based on smart cards and PIN, EMV enabled a game changing shift in liability from the credit card companies, to the card holder. Is this still the case if the PIN is not used?

The popular NFC-based payment procedure enables payments of smaller amounts (below 50 EURO), by just tapping the credit card on the PoS without entering a PIN. Now it has been discovered that Visa’s EMV cards can by a simple man-in-the-middle (MITM) attack, be used also for larger amounts, without a PIN.

Researchers at ETH Zurich discovered a critical gap in a protocol used by the credit card company Visa. Other companies, such as Mastercard, American Express and JCB, don’t use the same protocol as Visa, so these cards are not affected by the security loophole.

An example of the attack can be seen on the YouTube video below.

The convenience of not having to enter PINs for smaller transactions, is noticeable for everyone who has used this technology. But already there, alarms should be going off for every CISO. If you add a small bug on top of that, the security level of the whole system is drastically lowered. Basically making a 2-factor authentication system, 1-factor!

More about how the security researchers from ETH Zurich found the attack vector and other details can be found here:

This post was first first published on Versasec Blog’s website by . You can view it by clicking here