We are used to seeing security vulnerabilities that can affect our systems, devices and any tool that we use. This can put at risk not only the proper functioning, but also our own privacy. Today we echo a new bug that allows an attacker to use a bank card without the need for a PIN . We are going to explain what it consists of.
A bug allows the use of cards without a PIN
As we said, a new vulnerability would allow a possible intruder to use bank cards without having to enter the PIN . An important problem that logically puts our security and privacy at risk. We already know that the use of this type of card to pay online is something that is very present.
This flaw, according to the security researchers of whom we echo, affects the EMV protocol . Every time we make a payment with bank cards (whether credit or debit), the EMV communication protocol is used to process the payments. This has been developed by Europay, Mastercard and Visa, among others. It is used for more than 9 billion cards worldwide.
However, as can happen in almost any circumstance, there may be vulnerabilities. Three security researchers have found that flaws in the EMV protocol could allow an attacker to carry out a Man-in-The-Middle attack and thereby conduct fraudulent transactions.
Two vulnerabilities found
For this they have used a model that simulates a real-world situation that involved the merchant’s machine, the user’s card, and the bank. These researchers were able to find two main vulnerabilities. First, they developed a proof-of-concept Android app that, when used to make contactless payments , would allow the attacker to get through without using a PIN code. And we already know that these types of payments have become very popular lately.
This is possible due to the lack of authentication and cryptography used in the cardholder verification method. This makes it possible for the attacker to modify the configuration to suit his needs. As an example, the researchers also carried out such a successful transaction worth almost 200 euros for testing in a real store using their own cards.
But there is a second vulnerability that would allow an attacker to mislead the merchant into believing that an offline contactless transaction was successful on the spot, but is later revealed to have been declined. This would be possible with an old Visa or MasterCard . Of course, in this case they did not prove it in reality.
Ultimately, these two security flaws could put the use of bank cards at risk. The solution would be as simple as upgrading terminal systems globally. Once again the importance of always keeping everything up to date to correct possible vulnerabilities is demonstrated.
