Using your phone to make payments has certainly become the norm these days, but a good number of people still appreciate the ease of contactless bank cards. They are nearly as handy. You simply tap the card onto the terminal, and within seconds, your phone buzzes in your pocket, indicating a successful payment for your purchase. However, this convenience does come with a pitfall. Fraudsters have the potential to pilfer money from cardholders. Let’s dive into a discussion on how bank cards can be compromised through NFC technology.

Technically speaking, NFC payments are an evolution of the EMV standard, which means that most attack methods observed in real-world scenarios are already known to researchers. However, when I began to delve into the realm of contactless payments, I stumbled upon some new instances. These attacks primarily exploit backward compatibility and other limitations inherent in the key EMV processes – namely authentication, authorization and verification.

Bank fraud is indeed a significant issue. Since the early 2000s, these problems have persisted, and with the introduction of contactless payments, they have become even more common. One distinct aspect of contactless card fraud is that it is hard for the victim to provide evidence, given that the fraudster does not require physical access to your cards. Consequently, banks frequently dispute these types of user complaints.

Legacy Modes

What do we mean by “contactless legacy modes,” and why do they exist? Initially, legacy modes were designed for payment terminals, particularly those in the United States, which were not equipped to handle cryptography. In addition, due to the principle of backward compatibility, cards and terminals capable of handling modern cryptographic methods can still be utilized in these legacy modes. Picture this: It is as if you could make payments using the magnetic stripe on your chip card.

For the first time, researchers drew attention to the insecurity of legacy modes with a contactless payment method back in 2015.

Visa credit cards operating in magnetic stripe data (MSD) mode send Track2 Equivalent data encompassing a dynamic card verification value (CVV) component that undergoes periodic changes. This implies that the same CVV has the potential to be utilized on multiple occasions. The MSD mode also has the disadvantage of allowing an incorrect value for the CVV2 field to be used. Data read from a magnetic stripe or a chip on a card can be recorded by a special mobile app utilizing the NFC protocol. This data can then be manipulated and presented to the bank, which could mistakenly consider it a legitimate contactless transaction. Not so long ago, there was a mobile app available on the Google Play store that enabled you to read and store this kind of data. You can find the archived version of its GitHub repository here.

MasterCard has taken things a bit further with its own legacy mode, called PayPass Magstripe. In this mode, the card receives a random UN (unpredictable number) from the terminal, calculates the application transaction counter (ATC), and generates a CVC3 authorization field based on this data. As a result, the terminal generates dynamic Track2 Equivalent data using the given information and forwards it to the bank to obtain payment authorization.

The main drawback of this mode is the limited randomness of the UN field and the lack of other fields, such as transaction amount or date, that contribute to the overall randomness. The UN can range from three to five bytes, each byte comprising only numbers. This implies that there can be 999, 9,999, or 99,999 distinct UN values that can be entered into the card. In the first two instances, a malicious individual could quickly clone all card transactions by simply bringing a smartphone with a specific app installed close to the card.

Following this, the perpetrator carries out a payment on a terminal that supports Magstripe mode using a phone loaded with the cloned transactions. The terminal initiates the generation of a randomized UN field, and the mobile phone then scans its transaction database to locate the corresponding ATC/CVC3 pair linked to this UN. Subsequently, the phone provides this pair to the terminal.

It is worth noting here that payment systems generally advise tracking the sequence of counter values and disallowing transactions that exhibit large leaps in ATC values. If the fraud detection systems are set up properly, the attackers would not be able to execute more than a single payment. However, if the fraud detection systems have been “subdued by irate bank customers,” the offender would essentially have a complete clone of the card at their disposal, which could potentially be used multiple times.

The majority of mobile wallets including Google Pay, Samsung Pay, and various custom host-card emulation (HCE) Android apps that can emulate card details – are also compatible with MSD and PayPass Magstripe modes.

Researchers have also uncovered another fraud technique, which involves manipulating the terminal into believing that the UN equals 0. If successful, the terminal will return only one possible value – 00000, to which only a single ATC/CVC3 pair corresponds. In such a scenario, cloning the card becomes remarkably straightforward.

Attacks on Visa cards, targeting legacy modes, are quite common and have seen a widespread increase. This is mainly because information required for making contactless payments with Visa cards can easily be obtained from hacker forums where Track 2 Equivalent data is available for sale.

Cloning Attacks

Presently, it is not feasible to clone EMV cards in a way that allows their transactions to be authorized in real-time. To date, nefarious actors or researchers have not figured out how to extract cryptographic keys needed to generate payment cryptograms. However, this does not mean it is the only method available to create a functional replica of the card:
• Crooks can write the Track2 Equivalent value onto the magnetic stripe. The Track2 Equivalent essentially duplicates the information found on a card’s magnetic stripe and serves as a card identification parameter within hardware security module (HSM) systems, along with other subsystems dedicated to card processing. So, one method of attack that malicious individuals occasionally employ involves writing Track2 Equivalent data onto a magnetic stripe. Subsequently, fraudulent transactions are conducted either as typical magnetic stripe transactions or in technical fallback mode. To pilfer such data from ATMs, devices known as skimmers are used.

• In order to duplicate transactions, one can employ the EMV pre-play and re-play attacks. The crux of the re-play attack is to circumvent the mechanisms ensuring each transaction and cryptogram’s uniqueness. This allows the attacker to “clone transactions” for future use without needing the original card. In case a hacked terminal produces the same UN field, a once-read cryptogram from the card with a predictable UN value can be reused unlimited times. Even the next day, the attackers can forward information about the old cryptogram with the previous day’s date in the authorization request. The pre-play scheme comes into play if a compromised terminal does not produce the same UN but instead generates a predictable one. In this situation, an attacker, when physically accessing the card, clones multiple transactions “for future use.” Unlike the initial attack, each transaction can only be used once in this scenario.

Cardholder Verification Bypass

Much of the NFC/EMV security research in recent years has been centered around cardholder verification methods (CVM). Why is this the case? Because bypassing CVM links to other card security vulnerabilities related to authentication and authorization.

Cybercriminals have the ability to modify the verification method at various stages of the payment processing by using infected terminals or their own terminals and applying a man-in-the-middle (MITM) approach. Let’s break down each of these options individually.

Data Substitution Between the Acquiring Bank and the Terminal

This specific kind of attack occurs when hackers alter the transaction data while it is being transmitted from the payment terminal. Surprisingly, the issuing bank approves the transaction, even though it should not do that. There are two methods for verifying and approving a transaction.

1. Change to an offline PIN. An offline PIN is rarely employed since the card would require double swiping for payment. Also, the count of online-connected terminals is nearly 100%. Nonetheless, some banks still approve transactions with an “offline PIN” verification method.

2. Change to an online PIN. If a payment request shows an online PIN selection, but the PIN itself is missing from the encrypted field, some banks will still approve the transaction.

Data Substitution Between the Terminal and the Phone

1. Change to a signature. The widely used method to authenticate the payer after entering the PIN is known as signature substitution. Customers of certain banks are familiar with the option where instead of entering a PIN code, the card automatically prompts for a signature on the receipt. This approach is commonly referred to as Chip & Signature, drawing parallels with the Chip & PIN system. If a crook alters the verification method from a PIN to a signature and manages to mark a cross on the receipt or if an unaware cashier fails to ask for a signature, the cardholder can seek compensation if they can provide evidence that the transaction was not authorized by them.

2. Change to a mobile wallet. Besides the two common methods for chip contactless cards, terminals can also accept other payer verification types. For example, an attacker can trick the terminal by pretending the card is a mobile wallet, such as Apple Pay. In many terminals, this would bypass the need for PIN codes or signatures on receipts. The same result happens when the No CVM option (no cardholder verification method) is used. These types of attacks are increasingly being reported in various regions, prompting security experts to use tools to find scammers through their phone numbers and emails.

The Revised Payment Services Directive (PSD2)

Every country around the world has its own set of recommendations regarding no CVM limits, which are applicable when payer verification is not required. This is commonly referred to as the Tap & Go scheme. For example, within the European Economic Area, there is a recommended transaction limit of €50.

Stores and acquiring banks have the freedom to establish their own limits for terminals as they see fit. However, they also assume the associated risks of no CVM fraud. That is why not all banks or merchants may be inclined to set limits above the average, as it could attract many fraudsters.

The most prevalent scam involving stolen contactless cards is to visit a store and exploit the Tap & Go scheme by conducting numerous transactions within the no CVM limits. Anti-fraud systems rarely intervene to block such transactions. The most audacious scammers have even managed to find cashiers who would split a large bill into several smaller transactions of, for example, £30 each, thereby bypassing restrictions.

To combat such fraudulent activities, the European Union has introduced a set of new laws known as the Payment Service Directive, version 2 (PSD2). These regulations include specific requirements regarding the frequency of payer verification. Particularly for contactless Tap & Go transactions, starting from 2020, issuing banks are required to impose limits on the number of transactions below the Tap & Go threshold. They are obligated to track the total amount spent and prompt for a PIN after every five transactions or when the cardholder reaches the equivalent of the maximum amount across five Tap & Go transactions, such as 250 euros.

MasterCard and Visa offer two alternatives for transactions that surpass Tap & Go limits: Soft limits and hard limits. The majority of countries follow the soft limits scheme, wherein additional verification of the payer is required, such as a signature or an online PIN, when making a payment above the set limit. The United Kingdom, however, operates under the hard limits scheme, where inserting a chip-enabled card is necessary for payments exceeding Tap & Go limits. However, it should be noted that this scenario does not apply to mobile wallets, as they have separate limits in place.

Security experts have conducted tests to determine the effectiveness of these rules and explore potential ways they can be bypassed using publicly known vulnerabilities or newly discovered variations. The results revealed that by possessing stolen cards and a customized terminal, hackers could make payments in regular stores that exceed the predetermined limits. They just reset these limits using their compromised terminal.

Final Thoughts

While contactless bank cards offer convenience, they also come with vulnerabilities that fraudsters can exploit. Legacy modes and the use of magnetic stripes pose security risks, allowing attackers to clone cards and manipulate transaction data. There are a few reasons why banks continue to support obsolete forms of payment, including compatibility, associated costs, user adoption and international acceptance. In addition, cardholder verification methods can be bypassed, and the Tap & Go scheme is susceptible to abuse. The introduction of regulations like PSD2 aims to mitigate fraud, but limits can still be circumvented using compromised terminals. Continued advancements in payment security are necessary to address these challenges.