PT-2021-07: GPay payments above NoCVM limits, CryptoATC out of order

MEDIUM
(5.3) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Vulnerable product:

MasterCard Tokenisation Service (MDES)

Severity:

Severity level: Medium
GPay payments above NoCVM limits, CryptoATC out of order
Access Vector: Local

CVSS v3.0
Base Score: 5.3
Vector: (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Vulnerability description:

EMV standards which are used as a predecessor of mobile wallets, do not put some mandatory fields as a cryptogram input. These fields are crucial for risk management steps, and their tampering can bypass payment restrictions.
During the transaction authorisation, MDES does not decline payments with ATC out of order. That makes attacks possible even inside the EU region where hackers are limited to only five transactions. Even five stolen transactions give a probability of 10-20% success rate.

Advisory status:

October, 2021 - Vendor notification date

Credits:

Timur Yunusov

Get in touch

Fill in the form and our specialists
will contact you shortly