Contactless cards have a serious vulnerability, identified by ETH Zurich, allowing any malicious actor to bypass your PIN codes. The ETH Zurich researchers found that the exploit uses the man in the middle principle, where hackers take advantage of the data exchanged between the card and the card terminal.
According to CyberSecurityNews, hackers need a custom Android application, two Android smartphones, and a stolen card to successfully exploit this vulnerability.
A smartphone is used to emulate a point of sale terminal and is placed near the stolen card. The second smartphone behaves like a card emulator allowing the transfer of modified transaction information to a real point of sale device.
The application tells the card terminal that a PIN is not required to allow the transaction and that the cardholder has been verified. ETH Zurich published a similar exploit against Visa cards in September 2020. Since Visa uses a different data transmission standard than its competitors, it was not clear that other card providers were vulnerable to such an attack until now.
The ETH Zurich team was able to replicate the process on Maestro cards and Mastercard credit cards, with transactions of up to 400 Swiss francs (USD $ 436.14).
Experts at ETH Zurich confirmed that the attack was isolated but may be exploited as more ambiguities are revealed in contactless payment systems.