The card payment works because we generally trust the system, we trust its elements, we believe that we don’t risk high fraud in normal circumstances. But from time to time, we read about possible or actual fraud, which can weaken or collapse our beliefs. The fortunate situation is when researchers publish their findings, letting us react and optimize the behaviour of the devices. Usually, they do it after informing the key players and leaving them time to fix the issue.
The Card is the Face of the Issuer
When a payment institution issues a card or other payment device, this device represents the institution. The cardholders, more widely call them consumers, see their payment devices daily. Their judgement of the issuer is based on how their payments work. Risks push back the usage of these devices, causing financial loss to every player of the card payment.
New and Frustrating, Bypassing PIN
In 2021, three researchers published an article describing bypassing PIN on Visa cards. This type of fraud lets criminals pay for high-value goods using a stolen card without the need to know the card’s PIN. The most frustrating fact is that this type of fraud doesn’t require complicated infrastructure or direct access to the card. The researchers have used two mobile phones with the applications they had developed themselves. The fraud is based on a man-in-the-middle method. The fraudulent pretends that the CDCVM has been successfully finished when it hasn’t been executed at all.
Better in the EU?
Due to the so-called PSD2 regulations of the European Union, card issuers must ensure strong customer authentication above 50€ transactions and if the cumulated transaction amount reaches 150€. The issue here, the terminal thinks that the SCA was a part of the transaction.
Who Pays the Piper?
From the terminal perspective, the card stated a successful CDCVM. According to EMV standards, the terminal may accept the payment offline in this case. From the card point of view, the cardholder didn’t secure the transaction with CVM, so it’s up to the terminal to ensure the cardholder’s authentication. The cardholder’s account is charged, the issuer and the acquirer may argue a lot, but a detailed analysis of the transaction may be needed to see the whole picture. The cardholder will be unsatisfied with his or her issuer.
Although this fraud seems to be correct at first sight on the issuer side, practically, the acquirer is the party who can do the most to reduce the risk. The terminal payment process should incorporate specific steps and settings, as described in the researchers’ paper. Ask for our help if you are uncertain about your system’s behaviour.
As an issuer, it’s a good idea to review your cards’ configuration to see clearly how much impact is on you. Some configurations could be altered when the card is already in the hands of your cardholder. A detailed analysis may answer if there are corrective options at your side.
As a cardholder, you should be aware that if your card is stolen, the risk of using it may be higher than you think. You should have your bank’s phone number always with you to block your card in such a case.
- The EMV Standard: Break, Fix, Verify