Close Encounters: Attacking Contactless Bank Cards

Contactless bank cards are incredibly convenient: just tap your card to the terminal, and within seconds your phone pings—purchase complete. But this convenience comes with a downside: criminals can steal money from holders of such “plastic.” Let’s talk about the ways bank cards using NFC technology can be hacked.

How NFC Payments Work and Their Weaknesses

Technologically, NFC payments are an extension of the EMV standard, so all attacks seen “in the wild” have already been known to researchers. When I started studying contactless payments, I still managed to find a few new interesting cases, but these attacks still focus on backward compatibility and other shortcomings of the main EMV mechanisms—authorization, authentication, and verification.

After testing dozens of cards, I was shocked by the scale of the problems in banks. Since the early 2000s, these issues haven’t gone away, and with the advent of contactless payments, they’ve only increased. One of the unique features of fraud with contactless cards is that it’s hard to prove, since the criminal doesn’t need physical access to your cards. That’s why banks often dispute such customer complaints.

Legacy Modes: The Weak Link

The first to draw attention to the insecurity of legacy modes in contactless payments was researcher Peter Fillmore back in 2014.

What are contactless legacy modes, and why were they created in 2013? Legacy modes are special modes for terminals that couldn’t handle cryptography, mainly American ones. Due to backward compatibility, even cards and terminals that support modern cryptography can be used in legacy modes. Imagine if your chip card could process payments using the magnetic stripe—that’s the level of irresponsibility we’re talking about.

Visa cards in legacy MSD (Magnetic Stripe Data) mode simply transmit the Track2 Equivalent with a dynamic CVV field that changes “from time to time.” This means the same CVV can be used more than once. However, this mode also has a flaw that allows the use of an incorrect CVV2 value, as discussed in a previous article. Data read from the magnetic stripe, chip, or contactless chip can be recorded and replayed by a special app via NFC, and the bank will treat it as a contactless transaction. Russian programmer Dmitry Kholodov even published an app on Google Play that allows you to read and save this data on an Android phone.

MasterCard cards went a bit further: in their legacy mode, called PayPass M-Stripe, the card receives a random number (UN) from the terminal, uses a counter (ATC), and generates an authorization field (CVC3) based on this data. The terminal then creates a dynamic Track2 Equivalent from these values and sends it to the bank for payment authorization.

The main flaw of this mode is the low entropy of the UN field and the lack of other entropy fields, such as payment amount or transaction date. UN can be 3 to 5 bytes, each consisting only of digits. This means the card can receive 999, 9999, or 99,999 different UN values. In the first two cases, by bringing a phone with the right app close to the card, a criminal can quickly clone all transactions from the card.

The attacker then makes a payment at a terminal that supports M-STRIPE mode, using a phone with the cloned transactions. The terminal generates a random UN, the phone finds the correct ATC/CVC3 pair in its database for that UN, and sends it to the terminal.

Payment systems recommend monitoring the order of counter values and not accepting transactions with significant jumps in ATC values. If anti-fraud systems are set up correctly, criminals won’t be able to make more than one payment, because the next payment’s random UN will result in a much higher or lower ATC value than the previous one. But if anti-fraud systems are too lenient, the criminal will have a fully functional card clone that can be used multiple times.

Another method discovered by researchers is to trick the terminal into believing the UN entropy is zero. In this case, it will only return one possible UN value (00000), and only one ATC/CVC3 pair matches it. Cloning the card becomes incredibly easy. We even found a Russian bank that was vulnerable to this attack.

While some believe the problem is solved, I disagree: in the past year, I found two Russian MasterCard cards still operating in Legacy mode, as well as one card and one card acquiring system in Russia that support the highly insecure Visa MSD mode.

Attacks on Visa cards are still extremely common and widespread. To make contactless payments with Visa cards, you can use information available for sale on special forums—Track2 or Track2 Equivalent.

Legacy mode attacks on MasterCard cards are also possible, but they are much harder to carry out in real life, since they require physical access to the victim’s card, even if only for a minute. That’s why such attacks are rarely seen “in the wild.”

It’s worth noting that most mobile wallets—GPay, SamsungPay, custom HCE (Host-Card Emulation apps on Android)—also support M-Stripe and MSD modes. But we’ll discuss this in the section on mobile wallets and other non-standard payment devices.

Cloning Cards and Transactions

It’s impossible to clone contactless EMV cards so that their transactions can be authorized in real time. Criminals and researchers have not yet learned how to extract cryptographic keys to create payment cryptograms. However, this isn’t the only way to make a functional card clone:

• The Track2 Equivalent value can be written to a magnetic stripe and used for payments outside Russia, as described in an article on EMV attacks.
• Another technique for cloning transactions is Cryptogram Replay, described earlier.
• Finally, a fully functional card clone or a limited number of transactions can be created using legacy mode vulnerabilities, as described above.

Bypassing Cardholder Verification

The mainstream of EMV/NFC security research over the past 15 years has focused on cardholder verification methods (CVM). Why? Because bypassing CVM is tied to other card security flaws: authorization and authentication. Such attacks aren’t very popular for the same reason—they require physical access to the card. In official statistics, this type of fraud is called Lost & Stolen.

Cybercriminals can substitute the verification method at different stages of payment processing using a MITM (man-in-the-middle) attack. Let’s break down each option.

Substitution Between Terminal and Acquiring Bank

This type of attack is called transaction stream fraud—when hackers substitute transaction data as it’s transmitted from the payment terminal. The issuing bank approves the transaction, even though it shouldn’t. Verification can be performed in two ways:

• Offline PIN substitution: This scheme isn’t used for contactless cards, simply because the card would have to be tapped twice during payment. No payment system was ready for this after the 2010s, when nearly all terminals became internet-connected. However, we found five banks that authorized transactions if the verification method was declared as “offline PIN.”
• Online PIN substitution: If the payment authorization request indicates that online PIN was chosen, but the encrypted PIN field is missing, one of the banks we studied still authorized the transaction.

Some experts wonder: if criminals use their own terminals, can’t they be easily tracked and found? Unfortunately, that’s not always the case. For example, Brazilian criminals mentioned by Brian Krebs managed to disappear and launder the stolen money before the FBI caught up with them.

Substitution Between Phone and Terminal

The most popular method after online PIN is substituting the verification method to signature. Owners of cards from some Russian banks know that instead of entering a PIN, the card may request a signature on the receipt by default. This scheme, called Chip & Signature (by analogy with Chip & PIN), came from America. The reason for its popularity in the US is that, by law, regardless of whether the correct PIN was entered during a fraudulent transaction, the client must be reimbursed. So, if there’s no difference, why make clients go through the hassle of entering a PIN? That’s why Chip & Signature is still so popular in the US.

If a criminal substitutes the verification type from PIN to signature, and then just puts a cross on the receipt or the cashier doesn’t ask for an autograph, the cardholder can demand compensation if they prove the transaction wasn’t theirs. But whether they’ll actually get it—no one knows for sure. However, if it’s proven that a correct PIN was entered and verified, all the blame falls on the client.

Interestingly, experts from Aperture Lab have spent years conducting technical examinations of fraudulent card transactions. They collected data and proved to banks and courts that transactions were carried out differently than the bank interpreted, for example, without a correct PIN or using a pre-cloned cryptogram.

Substitution to Mobile Wallet or NoCVM

Besides the two most popular schemes for chip-based contactless cards, the terminal can accept several other non-standard cardholder verification types. For example, a criminal can tell the terminal that the card is actually a mobile wallet, like Apple Pay. In most terminals, this means no PIN or signature is required. The same happens if NoCVM is chosen as the verification method.

For contactless Visa cards, we demonstrated this vulnerability in 2019, showing weaknesses in CVM mechanisms for cards from Russia, Europe, America, and the UK. Later, researchers from the University of Zurich repeated our study for Swiss cards, confirming our earlier findings about Visa cards.

Some experts ask: why only Visa? First, MasterCard cards check the integrity of selected CVM methods during Offline Data Authentication. Unlike Visa cards, this process is mandatory for every contactless MasterCard. Also, the field responsible for mobile wallet status is part of the payment cryptogram, and it can’t be substituted without the transaction being declined.

PSD2 and Card Fraud in Europe

Every country has its own recommendations for NoCVM limits, when no cardholder verification is required. This is known as the Tap & Go scheme. In Russia, this limit was previously 1,000 rubles, but was recently raised to 3,000 rubles. In the UK, before COVID, it was £30, now it’s £45.

Each store and acquiring bank can set any limits they want for their terminals. However, the risks of NoCVM fraud fall on their shoulders, so not every bank or merchant will want to set higher-than-average limits, or else they’ll attract happy fraudsters.

The most common fraud scheme with stolen contactless cards is to go to a store and make a payment using Tap & Go. For example, in the UK, the scale of such fraud was “only” a little over £10 million in 2019. Criminals could make as many NoCVM transactions as they wanted until the card was blocked. The boldest even found cashiers willing to split a large bill into several £30 transactions, bypassing national restrictions.

To counter this, the European regulator released a set of new laws called PSD2 (Payment Service Directive, version 2). One of the main requirements concerns the frequency of cardholder verification—Strong Customer Authentication. These requirements include a section on contactless Tap & Go transactions—Cumulative Limits, which, since 2020, require issuing banks to limit the number of transactions below Tap & Go limits. Banks must sum up the total spent and request a PIN after every five transactions or if the cardholder spends the equivalent of the maximum amount for five Tap & Go transactions (e.g., £225 in the UK or €250 in France). In most European countries, this procedure isn’t very noticeable to cardholders, but in the UK, Hard Limits apply: for payments requiring a PIN or signature, you must insert the chip card into the terminal.

Visa and MasterCard offer two schemes for exceeding Tap & Go limits—Soft or Hard limits. Most countries use the first scheme, where a payment above the set limit will prompt additional cardholder verification—a signature or online PIN. The only country I know that uses Hard Limits is the UK, where you must insert the chip card for payments above Tap & Go. This doesn’t apply to mobile wallets—they have separate limits. More information can be found in the mentioned studies.

The law is still slowly spreading across Europe. Once I had enough cards with Cumulative Limits applied, I started testing how effective these rules are and how they can be bypassed using public vulnerabilities or new variations. One of our latest studies showed that classic attacks like PIN OK, CVM substitution to Chip & Signature, and Transaction Stream Fraud all allow you to “reset the limits” of £225/€250. With stolen cards and a special terminal, hackers can make payments in regular stores above these limits, periodically “resetting the limits” using their compromised terminal.

Conclusion

After three years of working closely with card transactions, I’ve learned a lot. The risk-oriented approach in the payment industry forces banks and other market players to support outdated payment forms simply “because it’s needed.” That’s why, in recent years, I’ve been able to take an exciting journey into the world of card fraud, find dozens of vulnerabilities in various banks and payment systems, learn to understand ISO-8583, emulate examples of transactional fraud, and master other interesting and unusual attack methods that, hopefully, will remain only in our lab.