A team of researchers from Swiss ETH Zurich university had demonstrated a vulnerability using which a PIN Code can be bypassed on Mastercard and Maestro cards. The research was conducted using android smartphones with Android KitKat or latest version with the communication enabled in WiFi.
“The attacker fools the terminal into believing that the card being used is a Visa card and then applies the recent PIN bypass attack that we reported on Visa. We have built an Android application and successfully used it to carry out this attack for transactions with both Mastercard debit and credit cards, including a transaction for over 400 USD with a Maestro debit card. Finally, we extend our formal model of the EMV contactless protocol to machine-check fixes to the issues found.” reads the research paper.
The researchers used below list of resources for the proof of concept:
(1) SumUp Plus Card Reader,
(2) mobile phone running the
SumUp app and connected over Bluetooth to the SumUp
(3) Android phone running our app in Card Emulator
(4) Android phone running our app in POS Emulator
(5) contactless card.
During the POC, the researchers had successfully bypassed the PIN on following a simple MitM attack by placing POS emulator device near the card and by tricking the card to initiate the trasaction, on the other hand the captured transaction can be used to do the real time payments on the real POS outlets.
Complete study of this POC can be found here.