A new attack called a "card brand mixup" exploits vulnerabilities in a protocol used in credit cards to deceive a point-of-sale terminal into transacting with a Mastercard posing as a Visa card, The Hacker News reports.
Researchers from ETH Zurich demonstrated how the use of an Android application to initiate a man-in-the-middle attack enables the terminal and the card to interact while also manipulating the communications between them to create a mismatch between the payment network and the card brand.
By deceiving a payment terminal into activating a flawed EMV Kernel, the actors can induce the terminal to accept a contactless transaction with the card’s primary account number and application identifier indicating different brands, allowing them to perform a Visa transaction with the terminal and a Mastercard transaction with the card, the researchers said.
The researchers submitted their findings to Mastercard, which has since introduced several countermeasures.