Security: Netflix subscriptions for 2 euros: the dangerous scam to steal your credit card
The contactless payment protocol for Visa bank cards contains a security flaw that allows criminals to make payments through this system without using the PIN code for amounts greater than the established limit.
This has been discovered by researchers David Basin, Ralf Sasse and Jorge Toro, from the Federal Polytechnic School of Zurich (Switzerland), who have analyzed the security of the EMV card standards protocol, named after its founders Europay, Mastercard and Visa, and that in December 2019 it was used in 9,000 million cards in the world.
Visa bank cards use a security protocol for contactless payments that require entering the PIN code for amounts above a maximum limit, currently 50 euros.
However, due to the vulnerabilities discovered, anyone who gets hold of a Visa card, or even puts an NFC-enabled phone next to them, could
make contactless payments that exceed the established limit
.
To carry out this attack, researchers from the Swiss university have used two Android 'smartphones' communicated with each other via WiFi and equipped with NFC sensors for mobile payments.
NFC (
Near-field communication
) technology allows devices to communicate with each other and send information and commands to each other (used, for example, to pair phones with Bluetooth headsets).
However, both terminals must be in contact for it to work, so any attacker should place their mobile practically glued to the card.
In any case, if they are located near the payment terminal and the credit card, the mobiles
can communicate with each other
through an application (in this case they use Wi-Fi) and modify the transaction data before sending them to the dataphone.
Thus, the card and the terminal, which believed to be communicating with each other, actually 'talk' each with one of the telephones, which send a modified order to each other, which in turn reaches the attacked devices.
In this way, the data that is sent includes additional instructions, such as that the PIN code is not necessary for payment - even if it is higher than the limit - and that the owner of the card is verified on the 'smartphone' used.
According to the researchers, for their study they reproduced the attack in real terminals of stores in the real world, although for this they used their own cards.
This security flaw is present in Visa's contactless payments protocol and according to researchers it may also affect those of Discover and UnionPay.
On the other hand, the study also includes another type of fraud in which an attacker may use his own card to make a low-value offline transaction that will never actually be charged.
The terminal is not capable of detecting the modification, but the bank could (although not in real time).
According to the criteria of The Trust Project
Know more
Donald Trump's WeChat veto could end up hurting Apple
GadgetsLaser, touch screen and app: now even drills are smart
TechnologyTikTok bypassed Android security to identify its users
See links of interest
Last News
TV programming
English translator
Work calendar
Daily horoscope
Santander League Standings
League schedule
Movies TV
Topics
Live, the fourth stage of the Tour