«PIN code is basically unnecessary on these cards», Says Jorge Toro-Pozo in an article published Tuesday on the website of the Swiss Federal Institute of Technology in Zurich (ETH). With two other colleagues, this Swiss researcher discovered a flaw in the security of Visa bank cards. More precisely, in the EMV standard, the international security protocol developed in the 1990s by the three giants of this sector, Europay, Mastercard and Visa (EMV, therefore).
During their experiments, the three researchers equipped themselves with two NFC-compatible smartphones (which makes it possible in particular to make payments by placing the device a few centimeters from a terminal) in which they installed an application developed for the opportunity. Thanks to NFC technology, the first mobile phone can read the information from the bank card and transfer it to the second mobile phone with which it is possible to make the purchase.
The application, for its part, makes it possible to override the card’s security system by modifying certain transaction data generated by the bank card intended for the payment terminal via the two telephones. Thanks to this operation, a malicious person can use the contactless payment of the bank card for any sum, without ever having to enter the 4-digit PIN code of the card, as explained Numerama.
The researchers filmed their experiment in a short video:
The three Swiss scientists tested their discovery in various stores with their own bank cards. “Fraud works with debit and credit cards that have been issued in different countries, in different currencies», Explains Jorge Toro-Pozo.
Researchers alerted Visa to the security flaw and said it could be easily fixed. “There are three additions to the protocol that could be installed on payment terminals during the next software update», Explain Jorge Toro-Pozo. «The effort for this would be minimal. Cards do not need to be replaced and all additions are EMV compliant.»He reassures.
Visa reassures users
Contacted by Le Figaro, Visa wishes to reassure users of the approximately 9 billion Visa cards. “Contactless payment cards are very secure. Incorporating the same secure technology as EMV smart cards, contactless cards are extremely effective in preventing counterfeiting, as they rely on a one-time code that prevents compromised data from being reused in the context of fraud.“, Says the company, which also specifies”that the number of contactless frauds has not increased in 2020 in Europe».
Visa also explains that the security of its cards is its priority: “Visa takes all security-related threats seriously, and we appreciate the efforts of industry and academia to strengthen payment security. Consumers can continue to use their Visa cards with confidence. Developments in staged fraud methods have been studied for nearly a decade.»
Finally, the American company indicates that it has not identified any fraud of this type. According to Visa, the complexity of the system put in place by the Zurich researchers would be difficult to reproduce by potential aspiring fraudsters: “Studies and tests can be interesting, but in reality these kinds of methods have proved impractical for fraudsters to set up in the real world.»