PT-2021-04: AAC/ARQC cryptogram confusion

MEDIUM

(4.9) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

THREATSCAPE

Analytics articles

10 December 2024
Artificial intelligence in cyberattacks
9 December 2024
A look at India through the dark web: what hackers are after
27 November 2024
Cyberthreats in the financial industry: H2 2023 – H1 2024

What are the security threats on your network?

Check your traffic-for free

Request pilot

Vulnerable product:

Visa Tokenisation Service (VTS), MasterCard Tokenisation Service (MDES)

Severity:

Severity level: Medium
AAC/ARQC cryptogram confusion
Access Vector: Remote

CVSS v3.0
Base Score: 4.9
Vector: (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Vulnerability description:

When an AAC cryptogram is requested, it can be substituted and presented to the tokeniser as an ARQC cryptogram. Moreover, when mobile phone declines the transaction due to risk management, some mobile wallets provide the AAC cryptogram and ATC, which can be used to authorise transactions. That means that stolen UN/cryptogram/ATC pair can be used for making purchases.

Advisory status:

October, 2021 - Vendor notification date

Credits:

Timur Yunusov

Vendor:

Visa Inc, MasterCard Inc.

Vulnerable product:

Visa Tokenisation Service (VTS), MasterCard Tokenisation Service (MDES)

Get in touch

Fill in the form and our specialists
will contact you shortly

General
questions

We're happy to answer any questions you may have.

Partnership

Join us in making the world a safer place.

Pilot
application

Test drive our solutions with a customized pilot program.