Relay Protection for Visa

The essence.

Visa proposed a relay-protection mechanism we call **Visa-L1**. Its security relies on two assumptions:
  1. The attacker cannot change the UID of a card or mobile phone.
  2. ISO 14443 messages cannot be relayed because of strict timing constraints.

We showed both assumptions are false.
By using two NFC-enabled Android phones — only one of which must be rooted — we were able to set an arbitrary UID, relay EMV messages, and completely bypass Visa-L1’s protection.

Skill.

This attack is **moderately difficult**, but far from impossible:
  • A rooted Android phone can act as a card emulator with a spoofed UID.
  • A second phone acts as the reader emulator, forwarding the victim card’s UID.
  • EMV APDUs are then relayed straightforwardly, with no special timing tricks.

Rooting a device requires technical skill, but the rest of the attack is simple once UID control is obtained.

Reasons.

The core protocol weaknesses enabling this attack are:

  • Visa-L1 includes the UID only in encrypted card-side data.
    The UID is sent by the card, encrypted, and checked later, but all randomness comes only from the card, not the reader.

  • Because the attacker controls the card-side device, they can:

    • set any arbitrary UID,
    • control the “random” value sent by the card,
    • relay all other EMV messages verbatim.

  • No reader-side randomness means there is no value that the attacker cannot fully predict or reproduce.

  • UID rewriting on rooted Android devices is possible, defeating Visa’s assumption that UIDs are unchangeable.

Methodology.

As ![Visa-L1 diagram](./setup_visal1.png "Visa-L1 Attack Setup") shows, our attack setup required:

  • Two NFC-enabled Android phones

    • Phone A: reader emulator, unmodified.
    • Phone B: card emulator, rooted (to set arbitrary UID).

  • Step 1 — Read victim card UID.
    Phone A reads the UID of a genuine Visa-L1 card.

  • Step 2 — Transmit UID to Phone B.
    The UID is forwarded over any channel (Wi-Fi, Bluetooth, etc.).

  • Step 3 — Phone B sets its UID.
    Using root-level NFC stack control, Phone B overwrites its own device UID.

  • Step 4 — Relay EMV messages.
    EMV APDUs between reader and card are relayed normally.
    Since Visa-L1 checks only the encrypted UID sent by the card side, the attack succeeds.

This works because the protocol relies entirely on a card-originated value that attackers can manipulate.

Disclosure.

We discussed this vulnerability with Visa.

Visa stated that Visa-L1 is intended to protect against attackers using unmodified devices and that rooting an Android smartphone is considered by them to be “difficult” and requiring significant expertise.
Nonetheless, the protocol in its proposed form cannot prevent relay attacks when UID manipulation is possible.