Researchers from the Swiss Higher Technical School of Zurich found a vulnerability precisely in the method of authorizing contactless payments used in Visa payment cards. It allows you to go beyond the limit on transactions without entering a PIN. This means that in the event of theft, attackers can pay with a card for a very expensive product.
An interesting detail is noticeable on the PoC video: two smartphones are used, one reads data from a credit card, the other is brought to a payment terminal. It is assumed that it is not even necessary to steal the card, it is enough to successfully kiss the credit card at the right time. Previously, such attacks on the contactless payment system were simply impractical. They remain that way, but research makes them a little more dangerous than we would like.
A detailed study on the topic has not yet been published - the researchers promise to submit the work with all the details as early as May 2021. So far, the following is known: the vulnerability lies in the ability to change the status of the payment card, which is transmitted upon contact with the terminal. More precisely, there are two statuses: one informs the terminal that PIN-code input is not required, the second - that the card is authorized on the user device (for example, on a smartphone). Usually the combination of these indicators will cause the terminal to ask for a PIN. In an attack scenario, data from a card is read by a smartphone, transferred to another smartphone, and modified in the process. The limit on contactless payments in Switzerland is CHF 80 (β¬ 74 at the time of publication). Researchers made a 200 franc payment without authorization, taking advantage of the discovered vulnerability.
Most likely, many Visa credit and debit cards are vulnerable. It is also possible that the substitution of status is possible on the cards of the Discover and Union Pay systems. Vulnerabilities are not affected by Mastercard cards (except for the earliest contactless ones), since there the status that allows you to bypass the need to enter a PIN cannot be changed on the fly. It is not known to the researchers themselves whether all cards, or only some, or certain banks for a certain period of time are affected. The recommendations are simple: don't lose your card and use a wallet that isolates wireless radio communications. Okay, a wallet is not required, but it's better not to lose your card.
What else happened
The next patch for Microsoft solutions closes 129 vulnerabilities, 23 of them are critical. One of the most serious problems was found in the Microsoft Exchange server. An attacker can execute arbitrary code with high privileges on the mail server by sending a prepared message.
The monthly patch for Android closed 53 bug, including the next hole in the Media Framework.
Replenishment in a number of vulnerabilities in the Bluetooth protocol. The BLURtooth bug allows you to connect to nearby devices with Bluetooth 4.0 and 5.0 without authorization.
Email Subscribers & Newsletters Wordpress Plugin Vulnerability Threatenshundreds of thousands of sites. Incorrect authorization allows you to use the mail server to send spam.
An interesting development on the topic of attacks against Office 365: in one phishing campaign, they noticed a mechanism for validating data that a victim enters on a fake site in real time. That is, your username and password will not only be stolen, but also politely reported if you made a typo while typing.
Security researchers report an attack on Linux-based VoIP gateways. Attackers hunt for call history.
Razer, a manufacturer of laptops, gaming PCs and accessories, has 100,000 customer data stolen .
The developers of the Zoom video conferencing service have implemented two-factor authentication.