Contactless payments by card only works up to typically 30 dollars without a PIN. The PIN is actually requested for high payments. This is supposed to reduce the misuse of hacked credit cards. This is supposed to limit the misuse of stolen cards. But researchers demonstrated that this PIN query can easily be hacked, at least with Visa cards. The attack is based between the payment terminal and the card that manipulates the transaction. Specifically, this function is taken over by two cell phones that communicate with each other on WLAN and each of which runs an app developed by the researchers.
One cell phone simulates a card or a smartphone with a payment function. The attacker holds this to the shop’s payment terminal. The cell phone then transmits all transaction data to the second mobile phone. This is located in the immediate vicinity of the Visa card with which you want to pay. In contrast, it pretends to be the payment terminal. The key point is that it can manipulate the transaction in the process. The app changes exactly in the data stream. With this, the app assures the payment terminal that no online PIN verification has to take place because the customer has correctly identified himself to the smartphone. This works because the standard provides for contactless payments with the smartphone, in which the owner identifies himself with his smartphone PIN.