Security Week 38: MITM attack on Visa cards

3 min


Vulnerabilities in credit cards are rare: although the interest of cybercriminals is obvious here, the payment cards themselves are reasonably well protected. Their safety has been regularly checked for many years, and very high demands are placed on market participants. Perhaps the last major credit card fraud occurred in the United States, and that was due to outdated infrastructure reliant on an unreliable method of storing data on magnetic stripe. Credit card data is stolen, used for online shopping and cashing, but it is not so easy to hack the cards with a chip: if the PIN code is not written directly on the stolen card, most likely, thieves will not get anything. Unless they can pay for a purchase using a contactless method that does not require a PIN code. But here the restriction on the purchase amount comes into force.

Researchers at the Swiss Higher Technical School of Zurich found the vulnerability is precisely in the method of authorizing contactless payments used in Visa payment cards. It allows you to go beyond the limit on transactions without entering a PIN. This means that in the event of theft, attackers can pay with a card for a very expensive product.

An interesting detail is noticeable on the PoC video: two smartphones are used, one reads data from a credit card, the other is brought to a payment terminal. It is assumed that it is not even necessary to steal the card, it is enough to successfully kiss the credit card at the right time. Previously, such attacks on the contactless payment system were simply impractical. They remain that way, but research makes them a little more dangerous than we would like.

A detailed study on the topic has not yet been published – the researchers promise to submit the work with all the details as early as May 2021. So far, the following is known: the vulnerability lies in the ability to change the status of the payment card, which is transmitted upon contact with the terminal. More precisely, there are two statuses: one informs the terminal that PIN-code input is not required, the second – that the card is authorized on the user’s device (for example, on a smartphone). Usually a combination of these indicators will cause the terminal to ask for a PIN. In an attack scenario, data from a card is read by a smartphone, transferred to another smartphone, and modified in the process. The limit on contactless payments in Switzerland is CHF 80 (€ 74 at the time of publication). Researchers made a 200 franc payment without authorization, taking advantage of the discovered vulnerability.

Many Visa credit and debit cards are most likely vulnerable. It is also possible that the substitution of status is possible on the cards of the Discover and Union Pay systems. Vulnerabilities are not affected by Mastercard cards (except for the earliest contactless ones), since there the status that allows you to bypass the need to enter a PIN cannot be changed on the fly. It is not known to the researchers themselves whether all cards, or only some, or certain banks for a certain period of time are affected. The recommendations are simple: don’t lose your card and use a wallet that isolates wireless radio communications. Okay, a wallet is not required, but it’s better not to lose your card.

What else happened

Another patch for Microsoft solutions closes 129 vulnerabilities, of which 23 are critical. One of the most serious problems discovered in the Microsoft Exchange server. An attacker can execute arbitrary code with high privileges on the mail server by sending a prepared message.

In the monthly Android patch shut down 53 bugs, including another hole in the Media Framework.

Replenishment among the vulnerabilities in the Bluetooth protocol. The BLURtooth bug allows you to connect to nearby devices with Bluetooth 4.0 and 5.0 without authorization.

Email Subscribers & Newsletters WordPress Plugin Vulnerability threatens hundreds of thousands of sites. Incorrect authorization allows you to use the mail server to send spam.

Interesting development Topics of Office 365 Attacks: One phishing campaign noticed a mechanism for validating data entered by a victim on a fake site in real time. That is, your username and password will not only be stolen, but also politely reported if you made a typo while typing.

Cybersecurity researchers report about the attack on Linux-based VoIP gateways. Attackers hunt for call history.

From laptop, gaming PC and accessories manufacturer Razer stolen data on 100,000 clients.

Zoom Video Conferencing Service Developers implemented two-factor authentication.


0 Comments

Leave a Reply