• Security: Netflix subscriptions for 2 euros: the dangerous scam to steal your credit card

The contactless payment protocol for Visa bank cards contains a security flaw that allows criminals to make payments through this system without using the PIN code for amounts greater than the established limit.

This has been discovered by researchers David Basin, Ralf Sasse and Jorge Toro, from the Federal Polytechnic School of Zurich (Switzerland), who have analyzed the security of the EMV card standards protocol, named after its founders Europay, Mastercard and Visa, and that in December 2019 it was used in 9,000 million cards in the world.

Visa bank cards use a security protocol for contactless payments that require entering the PIN code for amounts above a maximum limit, currently 50 euros.

However, due to the vulnerabilities discovered, anyone who gets hold of a Visa card, or even puts an NFC-enabled phone next to them, could

make contactless payments that exceed the established limit

.

To carry out this attack, researchers from the Swiss university have used two Android 'smartphones' communicated with each other via WiFi and equipped with NFC sensors for mobile payments.

NFC (

Near-field communication

) technology allows devices to communicate with each other and send information and commands to each other (used, for example, to pair phones with Bluetooth headsets).

However, both terminals must be in contact for it to work, so any attacker should place their mobile practically glued to the card.

In any case, if they are located near the payment terminal and the credit card, the mobiles

can communicate with each other

through an application (in this case they use Wi-Fi) and modify the transaction data before sending them to the dataphone.

Thus, the card and the terminal, which believed to be communicating with each other, actually 'talk' each with one of the telephones, which send a modified order to each other, which in turn reaches the attacked devices.

In this way, the data that is sent includes additional instructions, such as that the PIN code is not necessary for payment - even if it is higher than the limit - and that the owner of the card is verified on the 'smartphone' used.

According to the researchers, for their study they reproduced the attack in real terminals of stores in the real world, although for this they used their own cards.

This security flaw is present in Visa's contactless payments protocol and according to researchers it may also affect those of Discover and UnionPay.

On the other hand, the study also includes another type of fraud in which an attacker may use his own card to make a low-value offline transaction that will never actually be charged.

The terminal is not capable of detecting the modification, but the bank could (although not in real time).

According to the criteria of The Trust Project

Know more

    Donald Trump's WeChat veto could end up hurting Apple

    GadgetsLaser, touch screen and app: now even drills are smart

    TechnologyTikTok bypassed Android security to identify its users

    See links of interest

    • Last News

    • TV programming

    • English translator

    • Work calendar

    • Daily horoscope

    • Santander League Standings

    • League schedule

    • Movies TV

    • Topics

    • Live, the fourth stage of the Tour