The vulnerability was revealed in a report called “The EMV Standard: Break, Fix, Verify.”
Every time we make a payment using credit/debit cards, the EMV communication protocol is used for processing payments. Having been developed by Europay, Mastercard and Visa, etc. it is used for over 9 billion cards globally.
However, as is the principle of cybersecurity, nothing stops it from being vulnerable. Drawing on this, recently, 3 researchers namely David Basin, Ralf Sasse, and Jorge Toro-Pozo from the Department of Computer Science at ETH Zurich have discovered vulnerabilities in the protocol which would allow an attacker to conduct a Man in the Middle Attack (MITM) and therefore engage in fraudulent transactions.
Using a model that simulated a real-world situation involving the merchant machine, the user’s card, and the bank; the researchers were able to find 2 main vulnerabilities. Firstly, they developed an Android app as a Proof of Concept (POC) which when used to make contactless payments would allow the attacker to go through without the use of any PIN code.
The reason this is possible is because of the lack of authentication & cryptography used in the cardholder verification method which makes it possible for the attacker to modify settings to suit their needs. As an example, the researchers also did such a transaction successfully worth $190 for testing in a real store using their own cards.
The second vulnerability allows an attacker to trick the merchant into thinking that an offline contactless transaction has been successful on the spot but later on it is revealed that it was declined. In their report [PDF], the researchers explained that:
…in an offline contactless transaction with a Visa or an old Mastercard card, the card does not authenticate to the terminal the Application Cryptogram (AC), which is a card-produced cryptographic proof of the transaction that the terminal cannot verify (only the card issuer can). This enables criminals to trick the terminal into accepting an unauthentic offline transaction.
Later on, when the acquirer submits the transaction data as part of the clearing record, the issuing bank will detect the wrong cryptogram, but the criminal is already long gone with the goods.
This though was not tested in real-stores due to obvious ethical concerns of having to defraud the merchant otherwise – even if for the purpose of testing.
To conclude, these 2 vulnerabilities can be fixed by directly updating terminal systems globally instead of the EMV protocol itself. However, considering that there are approximately 161 million such terminals, a lot of which are in technologically-backward countries, it may take up a considerable amount of time allowing threat actors to take advantage of meanwhile.