[frozenice]

> Positive Technologies found that both of these checks can be bypassed using a device which intercepts communication between the card and the payment terminal. This device acts as a proxy and is known to conduct man in the middle (MITM) attacks. First, the device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification.

That's the first time I hear about RFID/NFC MITM, neat.

[tastroder]

> That's the first time I hear about RFID/NFC MITM, neat.

That's been a thing for quite a few years now in the context of pentesting, e.g. for badge cloning / proxying for access control systems, see for example [1] for an overview presentation. There's quite a few BlackHat talks on that space that give a good overview at this point. This attack is intruiging since it circumvents more complex measures by manipulating the communication and obviously has practical and direct impact on a monetary asset.

I've read elsewhere ([2], German) that Visa declines to fix this with the explanation that it would require attackers to steal the card in the first place and is technologically too complex to be seen in the real world, which is kind of weird. The hardware required is pretty accessible at this point but I guess their risk assessment determined that the actually occurring fraud with this method is currently not worth fixing anything.

[1] https://www.bishopfox.com/files/slides/2016/InfoSec_World_20...

[2] https://www.heise.de/security/meldung/Bezahlen-ohne-PIN-und-...