Mastercard and Maestro PIN Bypass: a Test Made by Swiss Researchers
A Vulnerability That Would Have Allowed Hackers to Perform Transactions on the Users’ Behalf.
A Mastercard and Maestro PIN bypass strategy was discovered by Swiss scientists, who used a technique they discovered last year related to Visa cards to test the Mastercard and Maestro ones too. They published a paper on this topic in February 2021 that has been introduced this month at the USENIX security conference.
The vulnerability was related to Mastercard and Maestro contactless cards and would have allowed cybercriminals to exploit it by bypassing PIN verification, because they could have purchased high-priced products using the contactless function of the cards, so skipping the need to introduce the PIN. The vulnerability is however patched now by Mastercard (that owns Maestro too), but further details on how an attack would have worked were revealed.
General Steps on How This Type of Attack Works
This attack makes part of the Man-in-the-Middle (MiTM) scenarios, a topic that my colleague Elena has recently addressed in a well-documented article.
A hacker would need a stolen card, two smartphones that run Android, and an Android application that targets the transaction fields and tempers them. The whole idea is that the hacker will position himself between the card that is stolen and the POS (Point-of-Sale) terminal that will be used to perform the transaction, hence the man-in-the-middle nomenclature.
More exactly, the cybercriminal will install the application on both smartphones. A smartphone will work as a PoS emulator, the other as a card emulator. The smartphone that works as a PoS emulator will make the card start the transaction and the second smartphone is the tool through which the cybercriminal will make a real PoS receive changed transaction info from the stolen card. This way, it would have seemed that a client just performed a transaction using his mobile app.
Mastercard and Maestro PIN Bypass: the Researchers’ Discovery
As per theRecord.’s details, with the technique described above, researchers from ETH Zurich university, Department of Computer Science managed last year, in 2020, to discover a flaw related to contactless Visa cards where they could skip the PIN input phase. They published a paper back then, named “The EMV Standard: Break, Fix, Verify“. Visa Credit, Visa Debit, Visa Electron, and V Pay cards were part of the researchers’ test, allowing them to perform 200 Swiss francs transactions. Therefore, making use of the same tactic now, they discovered a Mastercard and Maestro PIN bypass flaw.
While when they tested the Visa cards back in 2020 the method was to transmit to the PoS terminal that the PIN and the user’s identity had already been checked in order to determine it to skip requiring the code and perform thus a contactless transaction, this time they used the Maestro card to perform the transaction posing as a Visa one, by altering its Application Identifier (AID).
When the kernel for Visa was activated, it reached out to the corresponding bank to check the card. Then, the payment could be finalized without the need for the PIN, following the last year’s methods regarding VISA cards. This way, researchers could engage in transactions worth up to 400 Swiss francs.
Both companies were warned about this issue and Mastercard provided patches this year for the issue, but Visa did not share any input as it is known at the present moment. The experts have also mentioned that they will not make public the Android application that can be used to engage in these kinds of transactions.
A demonstration of a Mastercard and Maestro PIN bypass is available on YouTube and it only shows how fast such an attack could take place: