
The vulnerability enables fraudsters to obtain funds from cards that have been lost or stolen even though the amounts are supposed to be validated by entering a PIN code. The issue is only present on Visa credit and debit cards even though Visa is part of the EMV organization that draws up standards for credit and debit cards, the researchers state.
Other companies, such as Mastercard, American Express and JCB, don't use the same protocol as Visa, so these cards are not affected by the security loophole. However, the flaw may also apply to the cards issued by Discover and UnionPay, which use a protocol similar to Visa's.
The method the researchers used was to develop an Android application to read data from the credit card chip and exchange information with payment terminals and install it on two NFC-enabled mobile phones.
To obtain funds the first mobile phone is used to scan the credit card details and transfer it to a second phone. The second phone is used at the same time to debit an amount at the checkout – as is often done – while buying an item below the PIN security limit. As the app declares the customer is the authorised user of the credit card the vendor approves the fraudulent payment even though the amount being drawn down is over the limit and requires a PIN verification.
Next: Watch the video