A team of logical security specialists has reported the finding of a vulnerability that could be exploited to bypass the PIN code in contactless payments of the Visa system. If a threat actor uses a stolen Visa contactless card, they could pay for any product above the transaction limit without entering the card PIN code.

In their report the experts mention that the attack is actually stealthy, so payment operators could easily confuse cybercriminals with a legitimate customer, which could generate millions of dollars in losses.

A team of logical security specialists has reported the finding of a vulnerability that could be exploited to bypass the PIN code in contactless payments of the Visa system. If a threat actor uses a stolen Visa contactless card, they could pay for any product above the transaction limit without entering the card PIN code.

Experts mention that the attack is actually stealthy, so payment operators could easily confuse cybercriminals with a legitimate customer, which could generate millions of dollars in losses.

During the attack, the POS emulator asks the card to make a payment, modifying the details of the transaction and sending the altered information via a WiFi signal to the second smartphone, which will make the payment without requesting the card PIN. Experts note that the application developed for the attack does not require root privileges or any additional attack, in addition to ensuring that the attack has already been tested on some Huawei and Pixel devices.

On the feasibility of the attack, experts believe that its deployment is possible due to multiple failures in the design of the EMV standard and in Visa’s contactless protocol. Threat actors could alter this information and complete fraudulent transactions: “Broadly speaking, the attack consists of modifying a data object on the card,” the researchers mention. 

The research was carried out by logical security experts from the Swiss Federal Institute of Technology (ETH), based in Zurich. The report was sent to Visa, although the company has not mentioned anything about it.