Skip to main content

demonstrate the feasibility of the attacks, we developed a proof-of-concept Android application. Our app implements the attacks as man-in-the-middle attacks built on top of a relay attack architecture, using two NFC-enabled phones.

 

EMV, named after its founders Europay, Mastercard, and Visa, is the international protocol standard for in-store smartcard payment. In December 2020, EMVCo reported 9.89 billion EMV cards in circulation worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.

We have specified a comprehensive model of the EMV protocol, using the Tamarin model checker. Using our model, we identified several authentication flaws that lead to two critical attacks: one affecting Visa cards and another affecting Mastercard cards.

The attack on Visa allows criminals to complete a purchase over the PIN-less limit with a victim’s Visa contactless card without knowing the card’s PIN. In other words, the PIN in your Visa card is useless as it won’t protect your card from being used for fraudulent, high-value purchases.

The attack on Mastercard allows criminals to trick a terminal into transacting with a victim’s Mastercard contactless card while believing it to be a Visa card. This card brand mixup has critical consequences since it can be used in combination with the PIN bypass for Visa to also bypass the PIN for Mastercard cards. As a result of our disclosure process, Mastercard has since implemented defense mechanisms, which we experimentally confirmed as effective against the attack.

Demonstrating the attacks

To demonstrate the feasibility of the attacks, we developed a proof-of-concept Android application. Our app implements the attacks as man-in-the-middle attacks built on top of a relay attack architecture, using two NFC-enabled phones.

Image

The outermost devices are the payment terminal (on the left) and the victim’s contactless card (on the right). The phone near the payment terminal is the attacker’s card emulator device and the phone near the victim’s card is the attacker’s POS emulator device. The attacker’s devices communicate with each other over WiFi, and with the terminal and the card over NFC.

For the attacks to work, the criminals must have access to the victim’s card, either by stealing it, finding it if lost, or by holding the POS emulator near it if still in the victim’s possession. The attacks work by modifying the terminal’s commands and the card’s responses before delivering them to the corresponding recipient.

Our app does not require root privileges or any hacks to Android. We have used it on Google Pixel 2 XL and Huawei P Smart 2019 devices.

Attack on Visa

The attack consists in a modification of the Card Transaction Qualifiers (CTQ, a card-sourced data object), before delivering it to the terminal. The modification instructs the terminal that:

  • PIN verification is not required, and
  • the cardholder was verified on the consumer’s device (e.g., a smartphone).

We have successfully tested this attack with Visa Credit, Visa Debit, Visa Electron, and V Pay cards. A video demonstration for a 200 CHF transaction is given below.

This attack may also affect Discover and UnionPay cards. Our findings have been covered by ETH Zurich, ACM TechNews, Schweizer Radio und Fernsehen (SRF), The Hacker News, ZDNet, heise, and a full technical report is given in our paper:

The EMV Standard: Break, Fix, Verify
David Basin, Ralf Sasse, and Jorge Toro-Pozo
42nd IEEE Symposium on Security and Privacy (S&P), 2021
PDF (arXiv) | DOI | BibTex | Tamarin model

Attack on Mastercard

This attack primarily consists in the replacement of the card’s legitimate Application Identifiers (AIDs) with the Visa AID A0000000031010 to deceive the terminal into activating the Visa kernel. The attacker then simultaneously performs a Visa transaction with the terminal and a Mastercard transaction with the card. In the Visa transaction, the attacker applies the aforementioned attack on Visa.

For this attack to work, the terminal’s authorization request must reach the card-issuing bank. Requirements for this include:

  • the terminal does not decline offline even if the card number (PAN) and the AIDs indicate different card brands, and
  • the merchant’s acquirer routes the transaction authorization request to a payment network that can process Mastercard cards.

We have successfully tested this attack with Mastercard Credit and Maestro cards. A video demonstration for a 400 CHF transaction is given below.

This attack may also affect JCB and American Express cards. Our research has been featured by ETH Zurich, ACM TechNews, The Hacker News, and a full technical report is given in our paper:

Card Brand Mixup Attack:
Bypassing the PIN in non-Visa cards by Using Them for Visa Transactions
David Basin, Ralf Sasse, and Jorge Toro-Pozo
30th USENIX Security Symposium, 2021
PDF | BibTex | Tamarin model

FAQ

What cards are affected by these attacks?

We have successfully bypassed the PIN for Visa Credit, Visa Debit, Visa Electron, V Pay, Mastercard Credit, and Maestro cards. Further EMV cards may be affected but we have no proof of this in the wild.

Has there been any response by the affected companies?
What role did Tamarin play in this research?
There have been many attacks on EMV before, what makes these different?
What went wrong? How can such problems be avoided in the future?
Should we protect our cards in a “metal wallet” to prevent them being read remotely?

This might help. Although you still have problems if they are lost or stolen.

What actions should I as a citizen take now to protect myself?

Protection measures recommended by banks apply. Block your card immediately upon realization it is lost or stolen. Check your bank statement regularly, and immediately report to your bank whenever you see an unrecognized transaction. Additionally, whenever you are carrying an EMV contactless card, make sure nobody is holding a device near it against your will. Also, be aware of your back pocket.

Where do I find the Android app?

Nowhere. We do not make it available.

Team

Prof. Dr. David Basin
Dr. Ralf Sasse
Dr. Jorge Toro

Institute of Information Security
Department of Computer Science
ETH Zurich

Comments

Post a Comment

Popular posts from this blog

Track format of magnetic stripe cards by L. Padilla

  Track format of magnetic stripe cards by L. Padilla This page contains an explanation about the format of the three magnetic tracks in standard identification cards, particularly those used in financial transactions, i.e., credit and debit cards. It is a summary of the international standards ISO 7813 (tracks 1 and 2) and ISO 4909 (track 3). Track 1 (IATA) Up to 79 ALPHA 7-bit (including parity) characters (alphanumeric) including SS, ES and LRC. Read only. It comprises the following fields (in this order): SS: Start Sentinel. 1 character: %. FC: Format Code. 1 character (alphabetic only): A: Reserved for proprietary use of card issuer. B: Bank/financial. This is the format described here. C-M: Reserved for use by ANSI Subcommittee X3B10. N-Z: Available for use by individual card issuers. PAN: Primary Account Number. Up to 19 digits: In accordance with the account numbering scheme in ISO 7812. It co
Post a Comment
Read more

Driver's License Calculator: USA STATE DRIVERLICENCE NUMBER

Unique ID Software High Programmer > Alan De Smet > Unique ID > Unique ID Software Unique ID Software by Alan De Smet The Unique ID software can calculate various interesting numbers and codes. Notably, for some states, it can determine your driver's license number from your personal information, to determine your personal information from your driver's license number. This is the software I use to run my Unique ID web tools . You can give it a whirl right now . For more information on the various algorithms supports, see the rest of Unique ID site . As with the rest of the Unique ID site, this is the work of a hobbiest. I strive to make it work as well as possible, but I offer ABSOLUTELY NO WARRANTY. You might want to read my full disclaimer . This program is intended to be run as a CGI (Common Gateway Interface) running under a web server like Apache . You can find further information about CGIs . You will want to consul
Post a Comment
Read more

MODELS 9600/9601/9620/9621 SINGLE-CASSETTE CASH DISPENSER OPERATION MANUAL

For Sales & Service Call: 888-501-5246 MODELS 9600/9601/9620/9621 SINGLE-CASSETTE CASH DISPENSER OPERATION MANUAL FCC COMPLIANCE Warning: Changes or modifications to this unit not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment. Note: This equipment has been tested and found to comply with the limits for a Class A digital device, persuant to Part 15 of FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial envi ronment. This equipment generates, uses, and can radiate radio fre quency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio com munications. Operation of this equipment in a
Post a Comment
Read more