Saturday, February 27, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

New Hack Lets Attackers Bypass MasterCard PIN by Using Them As Visa Card

February 20, 2021
in Internet Privacy
New Hack Lets Attackers Bypass MasterCard PIN by Using Them As Visa Card
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victim’s Mastercard contactless card while believing it to be a Visa card.

The research, published by a group of academics from the ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a victim’s stolen or lost Visa EMV-enabled credit card for making high-value purchases without knowledge of the card’s PIN, and even fool the terminal into accepting unauthentic offline card transactions.

You might also like

Cisco Releases Security Patches for Critical Flaws Affecting its Products

Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

“This is not just a mere card brand mixup but it has critical consequences,” researchers David Basin, Ralf Sasse, and Jorge Toro said. “For example, criminals can use it in combination with the previous attack on Visa to also bypass the PIN for Mastercard cards. The cards of this brand were previously presumed protected by PIN.”

password auditor

Following responsible disclosure, ETH Zurich researchers said Mastercard implemented defense mechanisms at the network level to thwart such attacks. The findings will be presented at the 30th USENIX Security Symposium in August later this year.

A Card Brand Mixup Attack

Just like the previous attack involving Visa cards, the latest research too exploits “serious” vulnerabilities in the widely used EMV contactless protocol, only this time the target is a Mastercard card.

At a high level, this is achieved using an Android application that implements a man-in-the-middle (MitM) attack atop a relay attack architecture, thereby allowing the app to not only initiate messages between the two ends — the terminal and the card — but also to intercept and manipulate the NFC (or Wi-Fi) communications to maliciously introduce a mismatch between the card brand and the payment network.

Put differently, if the card issued is Visa or Mastercard branded, then the authorization request needed for facilitating EMV transactions is routed to the respective payment network. The payment terminal recognizes the brand using a combination of what’s called a primary account number (PAN, also known as the card number) and an application identifier (AID) that uniquely identifies the type of card (e.g., Mastercard Maestro or Visa Electron), and subsequently makes use of the latter to activate a specific kernel for the transaction.

An EMV Kernel is a set of functions that provides all the necessary processing logic and data that is required to perform an EMV contact or contactless transaction.

The attack, dubbed “card brand mixup,” takes advantage of the fact that these AIDs are not authenticated to the payment terminal, thus making it possible to deceive a terminal into activating a flawed kernel, and by extension, the bank that processes payments on behalf of the merchant, into accepting contactless transactions with a PAN and an AID that indicate different card brands.

“The attacker then simultaneously performs a Visa transaction with the terminal and a Mastercard transaction with the card,” the researchers outlined.

The attack, however, necessitates that it meets a number of prerequisites in order to be successful. Notably, the criminals must have access to the victim’s card, besides being able to modify the terminal’s commands and the card’s responses before delivering them to the corresponding recipient. What it doesn’t require is the need to have root privileges or exploit flaws in Android so as to use the proof-of-concept (PoC) application.

But the researchers note a second shortcoming in the EMV contactless protocol could let an attacker “build all necessary responses specified by the Visa protocol from the ones obtained from a non-Visa card, including the cryptographic proofs needed for the card issuer to authorize the transaction.”

Mastercard Adds Countermeasures

Using the PoC Android app, ETH Zurich researchers said they were able to bypass PIN verification for transactions with Mastercard credit and debit cards, including two Maestro debit and two Mastercard credit cards, all issued by different banks, with one of the transactions exceeding $400.

In response to the findings, Mastercard has added a number of countermeasures, including mandating financial institutions to include the AID in the authorization data, allowing card issuers to check the AID against the PAN.

Additionally, the payment network has rolled out checks for other data points present in the authorization request that could be used to identify an attack of this kind, thereby declining a fraudulent transaction right at the outset.


Credit: The Hacker News By: noreply@blogger.com (Ravie Lakshmanan)

Previous Post

Using ML algorithms, practices and patterns

Next Post

Take security to the Zero Trust Edge

Related Posts

Cisco Releases Security Patches for Critical Flaws Affecting its Products
Internet Privacy

Cisco Releases Security Patches for Critical Flaws Affecting its Products

February 27, 2021
Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process
Internet Privacy

Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

February 26, 2021
North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware
Internet Privacy

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

February 26, 2021
Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack
Internet Privacy

Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack

February 26, 2021
Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations
Internet Privacy

Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

February 25, 2021
Next Post
Take security to the Zero Trust Edge

Take security to the Zero Trust Edge

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Oxford University lab with COVID-19 research links targeted by hackers
Internet Security

Oxford University lab with COVID-19 research links targeted by hackers

February 27, 2021
The Education Industrial Complex: The Hammer We Have
Data Science

The Education Industrial Complex: The Hammer We Have

February 27, 2021
New AI Machine Learning Reduces Mental Health Misdiagnosis
Machine Learning

New AI Machine Learning Reduces Mental Health Misdiagnosis

February 27, 2021
Fastest VPN in 2021 | ZDNet
Internet Security

Fastest VPN in 2021 | ZDNet

February 27, 2021
Increasing Adoption of Informatics will Promote Growth of Data Analytics Outsourcing Market
Data Science

Increasing Adoption of Informatics will Promote Growth of Data Analytics Outsourcing Market

February 27, 2021
MindMed Closes Acquisition of HealthMode, a Leading Machine Learning Digital Medicine Company
Machine Learning

MindMed Closes Acquisition of HealthMode, a Leading Machine Learning Digital Medicine Company

February 27, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Oxford University lab with COVID-19 research links targeted by hackers February 27, 2021
  • The Education Industrial Complex: The Hammer We Have February 27, 2021
  • New AI Machine Learning Reduces Mental Health Misdiagnosis February 27, 2021
  • Fastest VPN in 2021 | ZDNet February 27, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates