PT-2021-04: AAC/ARQC cryptogram confusion Visa Tokenisation Service (VTS), MasterCard Tokenisation Service (MDES)Severity:Severity level: Medium AAC/ARQC cryptogram confusion Access Vector: RemoteCVSS v3.0 Base Score: 4.9 Vector: (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) Vulnerability description:When an AAC cryptogram is requested, it can be substituted and presented to the tokeniser as an ARQC cryptogram. Moreover, when mobile phone declines the transaction due to risk management, some mobile wallets provide the AAC cryptogram and ATC, which can be used to authorise transactions. That means that stolen UN/cryptogram/ATC pair can be used for making purchases.Advisory status:October, 2021 - Vendor notification dateCredits:Timur Yunusov