New PIN Verification Bypass Flaw Affects Visa Contactless Payments


Even as Visa issued a warning about a new JavaScript web skimmer known as Baka, cybersecurity researchers have uncovered an authentication flaw in the company’s EMV enabled payment cards that permits cybercriminals to obtain funds and defraud cardholders as well as merchants illicitly.

The research, published by a group of academics from the ETH Zurich, is a PIN bypass attack that allows the adversaries to leverage a victim’s stolen or lost credit card for making high-value purchases without knowledge of the card’s PIN, and even trick a point of sale (PoS) terminal into accepting an unauthentic offline card transaction.

All modern contactless cards that make use of the Visa protocol, including Visa Credit, Visa Debit, Visa Electron, and V Pay cards, are affected by the security flaw, but the researchers posited it could apply to EMV protocols implemented by Discover and UnionPay as well. The loophole, however, doesn’t impact Mastercard, American Express, and JCB.


The findings will be presented at the 42nd IEEE Symposium on Security and Privacy to be held in San Francisco next May.

Modifying Card Transaction Qualifiers Via MitM Attack

EMV (short for Europay, Mastercard, and…

Leave a Reply

Your email address will not be published. Required fields are marked *