Cyber security news for all

More

    PIN protection is cracked for contactless payments

    Contactless payments by card only works up to typically 30 dollars without a PIN. The PIN is actually  requested for high payments. This is supposed to reduce the misuse of hacked credit cards. This is supposed to limit the misuse of stolen cards. But researchers demonstrated that this PIN query can easily be hacked, at least with Visa cards. The attack is based between the payment terminal and the card that manipulates the transaction. Specifically, this function is taken over by two cell phones that communicate with each other on WLAN and each of which runs an app developed by the researchers.

    One cell phone simulates a card or a smartphone with a payment function. The attacker holds this to the shop’s payment terminal. The cell phone then transmits all transaction data to the second mobile phone. This is located in the immediate vicinity of the Visa card with which you want to pay. In contrast, it pretends to be the payment terminal. The key point is that it can manipulate the transaction in the process. The app changes exactly in the data stream. With this, the app assures the payment terminal that no online PIN verification has to take place because the customer has correctly identified himself to the smartphone. This works because the standard provides for contactless payments with the smartphone, in which the owner identifies himself with his smartphone PIN.

    contactless payments

    The researchers were able to collect products of any amount with Visa cards without to enter the PIN. They demonstrated this a few times in shops with payment method. Researchers used their own credit cards for this.

    Unsecured Transaction Data

    The method is reminiscent of attacks on credit cards previously used by criminals, in which soldered chips took over the role. The mistake made by Visa is that the manipulation is not noticed because the changed data is not cryptographically secured.

    Recent Articles

    Maze leaks data on its own platform

    The Maze ransomware has been up to almost a year and a half. This week, security experts warned about the actions of the cyber...

    Emotet to spread the malware behind email archives

    If you find an attached pack to an email these days, you should be particularly careful: the highly developed malware Emotet could be lurking...

    500,000 Activision accounts have been leaked

    Activision has taken a position on the alleged leak. According to the publisher, there has never been a data leak. In some cases it is...

    Judge issues injunction against WeChat

    The US government wanted to take action against the app WeChat. A judge stood sideways. The app should disappear from the platforms in the...

    Mail provider Tutanota becomes target of cyber attacks

    Over the weekend, ongoing DDoS attacks and an infrastructure problem resulted in downtime for hundreds of users. While some were able to mitigate most...

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox

    Data protection
    , Owner: (Registered business address: Germany), processes personal data only to the extent strictly necessary for the operation of this website. All details in the privacy policy.
    Data protection
    , Owner: (Registered business address: Germany), processes personal data only to the extent strictly necessary for the operation of this website. All details in the privacy policy.