PT-2021-04: AAC/ARQC cryptogram confusion

Visa Tokenisation Service (VTS), MasterCard Tokenisation Service (MDES)


Severity level: Medium
AAC/ARQC cryptogram confusion
Access Vector: Remote

CVSS v3.0
Base Score: 4.9
Vector: (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Vulnerability description:

When an AAC cryptogram is requested, it can be substituted and presented to the tokeniser as an ARQC cryptogram. Moreover, when mobile phone declines the transaction due to risk management, some mobile wallets provide the AAC cryptogram and ATC, which can be used to authorise transactions. That means that stolen UN/cryptogram/ATC pair can be used for making purchases.

Advisory status:

October, 2021 - Vendor notification date


Timur Yunusov