Your Credit Card Transactions May Have Been At Serious Risk Because Of A Man With An Android App

There are two ways you can complete a credit card or debit card transaction in a physical store or store. There is the contactless payment method, which is now applicable for transactions up to Rs 5000 in India. The second is that you enter a PIN code for your credit card on the payment terminal, to complete the transaction. Now, it turns out that all hackers can ever need is an Android app that can plug into the card machine and give it the false indication that no PIN is required. Researchers from ETH Zurich, or the Eidgenössische Technische Hochschule Zürich, have indicated that Mastercard or Maestro credit cards may be prone to circumvent the methods. Previously, this method also worked on Visa credit and debit cards.

To illustrate this feat, the researchers used an Android app and two phones with NFC technology, or Near Field Communication. The application falsely signals to the card terminal that is receiving the payment that no PIN code is required to complete the transaction and that the identity of the card owner has been verified. “Our method tricks the terminal into thinking that a Mastercard is a VISA card,” explains Jorge Toro, who works at the Information Security Group and is one of the authors of the research paper. Toro adds that the reality was much more complex than it looks, with two sessions having to run simultaneously for this to work: the card terminal performs a VISA transaction, while the card itself performs a Mastercard transaction. . The researchers used these methods on two Mastercard credit cards and two Maestro debit cards issued by four different banks.

Researchers claim to have informed Mastercard of these vulnerabilities and since then Mastercard has implemented measures that researchers confirm to be effective. Researchers say the security holes found in contactless payment cards are primarily due to EMV, an international protocol standard that applies to these cards. Logic errors within this set of rules are also difficult to detect.