A group of academics from ETH Zurich have published a post about an attack that could allow criminals to trick a point of sale terminal into transacting with a victim’s Mastercard contactless card while believing it to be a Visa card.
The researchers say: „This is not just a mere card brand mixup but it has critical consequences. For example, criminals can use it in combination with the previous attack on Visa to also bypass the PIN for Mastercard cards. The cards of this brand were previously presumed protected by PIN.“
Everything is achieved using an Android application that implements a man-in-the-middle (MitM) attack atop a relay attack architecture. This allowing the app to not only initiate messages between the two ends — the terminal and the card — but also to intercept and manipulate the NFC (or Wi-Fi) communications to maliciously introduce a mismatch between the card brand and the payment network.