News and guides on credit, leasing, savings and banking services in Switzerland

More than 9 billion credit cards are subject to a security breach

If you don't want to get your credit card hijacked, choose MasterCard over Visa.

David Basin, Ralf Sasse, and Jorge Toro-Pozo, all three researchers at the Department of Computer Science at the ETH Zurich, have discovered a major security breach affecting all Visa credit cards, a total of 9 billion bank cards. Specifically, it is a vulnerability concerning Europay Mastercard Visa (EMV), an international security standard used by payment cards. According to the researchers, it is possible to use a VISA card illegally, without needing the victim's PIN code.

The weak point of these bank cards? Contactless payment, say the three scientists. And there's no need for sophisticated tools or the latest high-tech inventions on the market: a credit card and two Android smartphones are all that's needed. Thanks to the lack of authentication in the payment protocol, modified on occasion, it is possible to make a vendor's payment terminal and the attacked Visa card believe that the amounts paid are below the threshold requiring validation of the purchase by PIN code. Thus, a criminal may not only exceed the usual limitations, such as the limit for contactless card payments or the number of daily contactless payments allowed. In short, the best way to protect yourself is to immediately block your Visa card if you lose it.

Researchers say it is not an elaborate hack. (Source: ETHZ)

Researchers at the ETH Zurich have already warned Visa of the loophole and have published almost 2000 pages of documentation to explain the specifics of the attack. The Discover and UnionPay cards are also affected by this flaw, unlike MasterCard, American Express and JCB, which use a different security protocol from Visa. The main stakeholder, Visa, explains that it is taking appropriate measures to address this vulnerability.

Based on: The EMV Standard: Break, Fix, Verify (.pdf)