Cybersecurity researchers talked about a new attack that allows cybercriminals to trick payment terminals into making transactions with a contactless Mastercard, posing as a Visa card.
The study, by a team of researchers at the Swiss Higher Technical School of Zurich, is based on another study of a PIN bypass attack that allows a victim's Visa EMV-enabled credit card to be used stolen from a victim to receive funds and make purchases.
As in the previous attack using Visa cards, the new study also exploited dangerous vulnerabilities in the widely used EMV contactless protocol, only this time the target was the Mastercard.
With an Android application that implements a man-in-the-middle (MitM) attack on top of a relay attack architecture, you can not only initiate messages between the terminal and the card, but also intercept and manipulate NFC communications to create a mismatch between the card brand and the payment network.
In other words, if the issued card has the Visa or Mastercard brand, then the authorization request necessary to facilitate EMV transactions is sent to the appropriate payment network. The payment terminal recognizes the brand using a combination of the so-called Primary Account Number (PAN) and Application Identifier (AID), which identifies the type of card (for example, Mastercard Maestro or Visa Electron), and subsequently uses the latter to activate a specific core for a transaction.
The core of EMV is a set of functions that provides all the necessary processing logic and data required to execute a contact or contactless EMV transaction.
The attack, dubbed card brand mixup, exploits the fact that these AIDs are not authenticated to the payment terminal, allowing the terminal to trick the terminal into activating an invalid kernel and thus force the bank to process payments on behalf of the merchant , accept contactless transactions with PAN and AID.
The attacker then simultaneously performs a Visa transaction with a terminal and a Mastercard transaction with a card. Notably, in order to carry out an attack, criminals must have access to the victim's card, in addition to being able to modify the terminal's commands and card responses before they are delivered to the appropriate recipient.
The experts informed Mastercard of their findings, and the company implemented network-level security mechanisms to prevent such attacks.