Kontaktloses Bezahlen mit Visa

Insecure Visa cards: researchers crack PIN protection for contactless payments

On its website, Visa advertises the contactless payment feature as “convenient and secure.” How true the second promise in particular is is questionable. ETH Zurich researchers have not only been able to outsmart the payment system in general, but have also managed to avoid the PIN request. This allowed them to use third-party Visa cards and purchase products in any price category without having to enter a PIN, which is normally required.

Hacked Visa NFC chip

In Germany, products with a value of up to 50 euros can be paid without contact and without a PIN or signature. The amount of the limit can sometimes even be selected individually, but this limitation can at least be overridden with Visa cards. How Heise online reported, the researchers used a so-called man-in-the-middle attack. They used two smartphones connected to each other via WLAN. One of the devices was close to the payment terminal, while the other had to be close to the Visa card. The latter was intended to be a payment terminal and was also perceived as such by the Visa card. This allowed transactions to be started remotely.

Also, a special application changed the transferred data. For the actual payment terminal, it seemed as if the user had already been verified via smartphone, for example by fingerprint or Face ID. As a result, no further PIN was required.

Researchers have also successfully applied this method in practice. However, this was successful out loud. Heise online only for Visa cards where the modified data is not cryptographically protected. With Mastercard, however, the “attackers” were unsuccessful.

Germans want to pay without contact

Today’s security gap can be closed with relatively little effort. However, he stresses that the technology is far from being truly safe in general. After all, Visa is one of the largest payment card companies that has certainly invested heavily in the digital security of transactions.

This is also problematic from another point of view. Because German citizens use according to a representative survey of the digital association Bitkom In view of the crown crisis, contactless payment is increasing. About 75 percent of respondents (aged 16 and over) said they wanted to avoid cash payments as often as possible. 71 percent also wanted more options for contactless payments.

Contactless payment is generally not insecure

Before labeling contactless payment as completely insecure: all virtual transactions cannot be absolutely secure. Any system that is connected to the Internet can be hacked, so there is always some risk. However, with contactless payment, you can minimize this risk yourself by keeping the payment card in a special NFC protective cover. This blocks incoming and outgoing signals and therefore offers some additional protection against man-in-the-middle attacks.