PT-2021-07: GPay payments above NoCVM limits, CryptoATC out of order
MasterCard Tokenisation Service (MDES)
Severity level: Medium
GPay payments above NoCVM limits, CryptoATC out of order
Access Vector: Local
Base Score: 5.3
EMV standards which are used as a predecessor of mobile wallets, do not put some mandatory fields as a cryptogram input. These fields are crucial for risk management steps, and their tampering can bypass payment restrictions.
During the transaction authorisation, MDES does not decline payments with ATC out of order. That makes attacks possible even inside the EU region where hackers are limited to only five transactions. Even five stolen transactions give a probability of 10-20% success rate.
October, 2021 - Vendor notification date