Major security flaw in VISA contactless payment

Using our model, we identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification. We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device (e.g., a mobile phone). This enables criminals to use any stolen Visa card to pay for expensive goods without the card’s PIN. In other words, the PIN is useless in Visa contactless transactions!
We have successfully tested our PIN bypass attack on real-world terminals...

aairfccha wrote:https://arxiv.org/pdf/2006.08249.pdf

Using our model, we identify a critical violation of authentication properties by the Visa contactless protocol: the cardholder verification method used in a transaction, if any, is neither authenticated nor cryptographically protected against modification. We developed a proof-of-concept Android application that exploits this to bypass PIN verification by mounting a man-in-the-middle attack that instructs the terminal that PIN verification is not required because the cardholder verification was performed on the consumer’s device (e.g., a mobile phone). This enables criminals to use any stolen Visa card to pay for expensive goods without the card’s PIN. In other words, the PIN is useless in Visa contactless transactions!
We have successfully tested our PIN bypass attack on real-world terminals...

Oops... Better get an EM-shielded sleeve for your credit card until the software fix for the sales terminals is rolled out.