In a troubling development for the cybersecurity landscape, Visa has alerted the public to a JavaScript web skimmer called Baka. Concurrently, a group of researchers from ETH Zurich has identified a critical authentication vulnerability in Visa’s EMV-enabled payment cards, which could be exploited by cybercriminals to unlawfully extract funds from both cardholders and merchants.
The research outlines a PIN bypass attack, allowing malicious actors to utilize a stolen or lost credit card for substantial purchases without knowing the associated PIN. This vulnerability also enables adversaries to deceive point-of-sale (PoS) systems into processing unauthorized offline transactions, significantly undermining the integrity of the payment process.
This security flaw pertains to all modern contactless cards operating on the Visa protocol, including Visa’s Credit, Debit, Electron, and V Pay cards. Researchers believe that this issue might extend to EMV protocols used by other payment networks, such as Discover and UnionPay, yet it does not appear to impact systems like Mastercard, American Express, and JCB.
The findings will be formally presented at the 42nd IEEE Symposium on Security and Privacy, slated for May in San Francisco.
Central to EMV (Europay, Mastercard, and Visa) standards is the requirement that higher-value transactions must be approved via a PIN. However, the exploitation by ETH researchers introduces a significant risk through a man-in-the-middle (MitM) attack facilitated by an Android application. This app misleads the PoS terminal into believing that PIN verification is unnecessary, claiming that the cardholder successfully authenticated via their handheld device or smartwatch.
The root of the vulnerability stems from the inadequately protected Cardholder Verification Method (CVM). This method, critical for validating a legitimate cardholder during transaction processes, lacks robust cryptographic safeguards against tampering.
The exploitation does not stop there; the researchers also reported vulnerabilities associated with offline contactless transactions using both Visa and older Mastercard cards. This attack allows criminals to manipulate the “Application Cryptogram” data before transmission to the terminal, effectively enabling them to execute low-value transactions without immediate charges. Typically, such transactions would be confirmed online within 24 to 72 hours, offering cybercriminals a potential window to exploit this delayed system for gain.
“This constitutes a ‘free lunch’ attack,” the researchers stated, as it allows for the acquisition of low-cost goods without the associated financial consequences.
In light of these discoveries, the researchers have recommended notifying Visa and have proposed three software interventions to fortify the protocol against such vulnerabilities. These include the implementation of Dynamic Data Authentication to secure high-value online transactions, as well as mandating online cryptograms for all PoS terminals to ensure that offline transactions are processed online.
Their findings underscore that the existing PIN requirement is rendered ineffective for Visa contactless transactions, and they drew attention to the notable security differences between Visa and Mastercard, highlighting the latter’s superior defenses. The implications of these flaws breach foundational security principles of transaction integrity and authentication, setting a concerning precedent within the evolving cybersecurity landscape.
As businesses navigate this intricate terrain, understanding the tactics employed in such attacks within the MITRE ATT&CK framework can be vital. Initial access methods, response tactics through persistence, and potential privilege escalation represent plausible avenues through which these vulnerabilities were exploited, reinforcing the need for enhanced security measures in financial transaction frameworks.
