{"id":187640,"date":"2021-02-23T16:54:08","date_gmt":"2021-02-23T13:54:08","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/security-flaw-detected-for-the-second-time-in-credit-cards\/"},"modified":"2021-02-23T16:54:08","modified_gmt":"2021-02-23T13:54:08","slug":"security-flaw-detected-for-the-second-time-in-credit-cards","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/security-flaw-detected-for-the-second-time-in-credit-cards\/","title":{"rendered":"#Security flaw detected for the second time in credit cards"},"content":{"rendered":"<p>&#8220;<strong>#Security flaw detected for the second time in credit cards<\/strong>&#8221;<\/p>\n<div>\n<div class=\"article-gallery lightGallery\">\n<div data-thumb=\"https:\/\/scx1.b-cdn.net\/csz\/news\/tmb\/2018\/creditcard.jpg\" data-src=\"https:\/\/scx2.b-cdn.net\/gfx\/news\/hires\/2018\/creditcard.jpg\" data-sub-html=\"Credit: CC0 Public Domain\">\n<figure class=\"article-img\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/scx1.b-cdn.net\/csz\/news\/800a\/2018\/creditcard.jpg\" alt=\"credit card\" title=\"Credit: CC0 Public Domain\" width=\"800\" height=\"530\"\/><figcaption class=\"text-darken text-low-up text-truncate-js text-truncate mt-3\">\n                Credit: CC0 Public Domain<br \/>\n            <\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>After finding a vulnerability in certain credit cards for the first time last year, ETH researchers have now found a way to outsmart the PIN codes for other payment cards.<\/p>\n<p>                                                                                Making a contactless payment with a credit or debit card is quick and easy, and has proved particularly useful during the current pandemic. For added security, the user has to enter a PIN code above a certain amount (usually CHF 80 in Switzerland) \u2013 at least, that&#8217;s the theory. As three researchers in the Information Security Group at ETH Zurich were able to show, these security measures can be bypassed with certain cards. The first time the researchers were able to document how credit cards could be used without a PIN code was in summer 2020, using Visa cards. The team have now disclosed that another bypass is possible with other types of payment cards, namely Mastercard and Maestro.<\/p>\n<p>The methods used by the researchers are based on the &#8220;man-in-the-middle&#8221; principle, where attackers exploit the data exchanged between two communication partners (in this case the card and the card terminal). To replicate this effect, the researchers used an Android <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a> they had created and two NFC-enabled mobile phones. The app falsely signaled to the card terminal that no PIN was required to authorize the payment and that the card owner&#8217;s identity had been verified. Initially, the method worked only on VISA cards, as other providers use a different protocol (a protocol governs data transmission).<\/p>\n<figure class=\"mb-4\" itemscope=\"\" itemtype=\"http:\/\/schema.org\/VideoObject\"><meta itemprop=\"name\" content=\"Security flaw detected for the second time in credit cards\"\/><meta itemprop=\"url\" content=\"https:\/\/youtu.be\/8d7UgIiMRBU\"\/><meta itemprop=\"description\" content=\"Credit: ETH Zurich\"\/><meta itemprop=\"uploadDate\" content=\"2021-02-23T08:04:24-05:00\"\/><meta itemprop=\"embedUrl\" content=\"https:\/\/www.youtube.com\/embed\/8d7UgIiMRBU\"\/><meta itemprop=\"thumbnailUrl\" content=\"https:\/\/img.youtube.com\/vi\/8d7UgIiMRBU\/maxresdefault.jpg\"\/><br \/>\n             <iframe loading=\"lazy\" title=\"Demo: Bypassing the PIN for a Maestro card\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/8d7UgIiMRBU?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><figcaption class=\"text-darken text-low-up mt-4\" itemprop=\"caption\">Credit: ETH Zurich<\/figcaption><\/figure>\n<p><b>Security measures outsmarted in two ways<\/b><\/p>\n<p>At first glance, the second idea behind bypassing the PIN code verification step appears simple: &#8220;Our method tricks the terminal into thinking that a Mastercard card is a VISA card,&#8221; explains Jorge Toro, who works at the Information Security Group and is one of the authors of the research paper. Toro goes on to add that the reality was much more complex than it sounds, with two sessions having to run concurrently for it to work: the card terminal performs a VISA transaction, while the card itself performs a Mastercard transaction. The researchers used these methods on two Mastercard credit cards and two Maestro debit cards issued by four different banks.<br \/>\n                                            <!-- Google middle Adsense block --><\/p>\n<p>The researchers informed Mastercard im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tely after they made their discovery. They were able to confirm experimentally that the defenses put in place by Mastercard are effective. &#8220;It was both enjoyable and exciting to work with the company on this,&#8221; explains Toro. Mastercard updated the relevant safeguards and asked the researchers to try to attack the payment process in the same way again, and this time it failed. The researchers will present their paper with a full overview of the method at the USENIX Security &#8217;21 symposium in August.<\/p>\n<p><b>EMV standard as a source of error<\/b><\/p>\n<p>The security flaws found in contactless payment cards are due primarily to EMV, an international protocol standard that applies to such cards. Errors in logic within this set of rules are difficult to detect, not least given that the standard is more than 2,000 pages in length. The ETH researchers emphasize on their project website that such systems must increasingly be reviewed automatically, as the process is too complex for human beings.\n                                                                                                                        <\/p>\n<hr\/>\n<hr class=\"mb-4\"\/>\n<p>                                        <!-- print only --><\/p>\n<div class=\"d-none d-print-block\">\n<p>                                                 <strong>Citation<\/strong>:<br \/>\n                                                 Security flaw detected for the second time in credit cards (2021, February 23)<br \/>\n                                                 retrieved 24 February 2021<br \/>\n                                                 from https:\/\/techxplore.com\/<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a>\/2021-02-flaw-credit-cards.html<\/p>\n<p>                                            This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no<br \/>\n                                            part may be reproduced without the written permission. The content is provided for information purposes only.<\/p><\/div>\n<\/p><\/div>\n<p><script id=\"facebook-jssdk\" async=\"\" src=\"https:\/\/connect.facebook.net\/en_US\/sdk.js\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more Like this articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/science\/\" target=\"_blank\" rel=\"noopener\">Science category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techxplore.com\/news\/2021-02-flaw-credit-cards.html\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Security flaw detected for the second time in credit cards&#8221; Credit: CC0 Public Domain After finding a vulnerability in certain credit cards for the first time last year, ETH researchers have now found a way to outsmart the PIN codes for other payment cards. Making a contactless payment with a credit or debit card is&#8230;<\/p>\n","protected":false},"author":1,"featured_media":187641,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/scx2.b-cdn.net\/gfx\/news\/hires\/2018\/creditcard.jpg","fifu_image_alt":"","footnotes":""},"categories":[16],"tags":[],"class_list":["post-187640","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sciencee"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/187640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=187640"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/187640\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/187641"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=187640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=187640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=187640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}