There are two ways in which you can make a credit card or a debit card transaction at a physical store or shop. There is the contactless tap and pay method, which is now applicable for transactions up to Rs 5,000 in India. The second is that you punch in a PIN for your credit card on the payment terminal, to complete the transaction. Now, it turns out, all that hackers may need is an Android app that can plug into the card machine and give it the false indication that no PIN is required. The researchers at ETH Zurich, or Eidgenössische Technische Hochschule Zürich, have indicated that credit cards that are Mastercard or Maestro, can be prone to bypass methods. Earlier, this method also worked on Visa credit and debit cards.
To illustrate this exploit, the researchers used an Android app and two phones that have NFC, or Near Field Communication. The app falsely signals to the card terminal that is in the process of receiving the payment, that no PIN is required to complete the transaction and that the card owner’s identity has been verified. “Our method tricks the terminal into thinking that a Mastercard card is a VISA card,” explains Jorge Toro, who works at the Information Security Group and is one of the authors of the research paper. Toro goes on to add that the reality was much more complex than it sounds, with two sessions having to run concurrently for it to work: the card terminal performs a VISA transaction, while the card itself performs a Mastercard transaction. The researchers used these methods on two Mastercard credit cards and two Maestro debit cards issued by four different banks.
The researchers say they have informed Mastercard about these vulnerabilities and since then, Mastercard has implemented measures which the researchers confirm are effective. The researchers say that the security flaws found in contactless payment cards are due primarily to EMV, an international protocol standard that applies to such cards. Errors in logic within this set of rules are difficult to detect too.