Threat Management

Hack lets attackers bypass MasterCard PIN by using them as Visa cards

A new attack called a "card brand mixup" exploits vulnerabilities in the contactless protocol used in credit cards to deceive a point-of-sale terminal into transacting with a Mastercard what it believes to be a Visa card, The Hacker News reports.

Researchers from ETH Zurich demonstrated how the use of an Android application to initiate a man-in-the-middle attack, which enables the terminal and the card to interact while also manipulating the communications to create a mismatch between the payment network and the card brand.

By deceiving a payment terminal into activating a flawed EMV Kernel, the actors can induce the terminal to accept a contactless transaction with the card’s primary account number and application identifier indicating different brands. This allows them to perform a Visa transaction with the terminal and a Mastercard transaction with the card, the researchers said.

The researchers submitted their findings to Mastercard, which has since introduced several countermeasures.

Jill Aitoro

Jill Aitoro is senior vice president of content strategy for CyberRisk Alliance. She has more than 20 years of experience editing and reporting on technology, business and policy. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.