A team of researchers from Swiss ETH Zurich university had demonstrated a vulnerability using which a PIN Code can be bypassed on Mastercard and Maestro cards. The research was conducted using android smartphones with Android KitKat or latest version with the communication enabled in WiFi.

The attacker fools the terminal into believing that the card being used is a Visa card and then applies the recent PIN bypass attack that we reported on Visa. We have built an Android application and successfully used it to carry out this attack for transactions with both Mastercard debit and credit cards, including a transaction for over 400 USD with a Maestro debit card. Finally, we extend our formal model of the EMV contactless protocol to machine-check fixes to the issues found.” reads the research paper.

Maestro PIN bypass

The researchers used below list of resources for the proof of concept:

(1) SumUp Plus Card Reader,

(2) mobile phone running the
SumUp app and connected over Bluetooth to the SumUp

(3) Android phone running our app in Card Emulator

(4) Android phone running our app in POS Emulator
mode, and

(5) contactless card.

During the POC, the researchers had successfully bypassed the PIN on following a simple MitM attack by placing POS emulator device near the card and by tricking the card to initiate the trasaction, on the other hand the captured transaction can be used to do the real time payments on the real POS outlets.

Complete study of this POC can be found here.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s