Vulnerable product:
MasterCard Tokenisation Service (MDES)
Severity:
Severity level: Medium
GPay payments above NoCVM limits, CryptoATC out of order
Access Vector: Local
CVSS v3.0
Base Score: 5.3
Vector: (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Vulnerability description:
EMV standards which are used as a predecessor of mobile wallets, do not put some mandatory fields as a cryptogram input. These fields are crucial for risk management steps, and their tampering can bypass payment restrictions.
During the transaction authorisation, MDES does not decline payments with ATC out of order. That makes attacks possible even inside the EU region where hackers are limited to only five transactions. Even five stolen transactions give a probability of 10-20% success rate.
Advisory status:
October, 2021 - Vendor notification date
Credits:
Timur Yunusov
Get in touch
will contact you shortly