Hackers Bypass PIN on Contactless Cards

Contactless cards have a severe vulnerability, identified by ETH Zurich, allowing any malicious actor to bypass their PIN codes. Researchers at ETH Zurich found that the exploit uses the man-in-the-middle principle, where hackers take advantage of data exchanged between the card and the card terminal.

According to CyberSecurityNews, hackers require a custom Android application, two Android Smartphones, and a stolen card to exploit this vulnerability successfully.

One smartphone is used to emulate a point of sale terminal and is placed close to the stolen card. The second smartphone behaves as a card emulator that enables the transfer of modified transaction information to a real point of sale device.

The app signals the card terminal that no PIN is needed to enable the transaction and that the cardholder has been verified. ETH Zurich published a similar exploit against Visa cards in September 2020. Since Visa uses a different data transmission standard than its competitors, it was not clear that other card providers would be vulnerable to such an attack until now.

The team at ETH Zurich was able to replicate the process on Maestro cards and Mastercard credit cards, with transactions of up to 400 Swiss francs (USD$436.14).

Experts at ETH Zurich confirmed that the attack was isolated but can be exploited as more ambiguities in contactless payment systems are revealed.