A new attack called a "card brand mixup" exploits vulnerabilities in the contactless protocol used in credit cards to deceive a point-of-sale terminal into transacting with a Mastercard what it believes to be a Visa card, The Hacker News reports.
Researchers from ETH Zurich demonstrated how the use of an Android application to initiate a man-in-the-middle attack, which enables the terminal and the card to interact while also manipulating the communications to create a mismatch between the payment network and the card brand.
By deceiving a payment terminal into activating a flawed EMV Kernel, the actors can induce the terminal to accept a contactless transaction with the card’s primary account number and application identifier indicating different brands. This allows them to perform a Visa transaction with the terminal and a Mastercard transaction with the card, the researchers said.
The researchers submitted their findings to Mastercard, which has since introduced several countermeasures.