In a statement, the researchers said they had found a similar way to get past VISA cards in September last year.
They said the attackers exploited the data exchanged between the card and the payment terminal by using an Android app that they had created and two NFC-enabled mobile phones.
"The app falsely signalled to the card terminal that no PIN was required to authorise the payment and that the card owner’s identity had been verified. Initially, the method worked only on VISA cards, as other providers use a different protocol," the statement said.
In the case of Mastercard, the researchers used a different method. “Our method tricks the terminal into thinking that a Mastercard card is a VISA card,” explained Jorge Toro, a member of the university's Information Security Group and an authors of the research paper.
He added that two sessions had to run concurrently for it to work: "the card terminal performs a VISA transaction, while the card itself performs a Mastercard transaction".
These methods were used successfully on two Mastercard credit cards and two Maestro debit cards issued by four different banks.
Mastercard was informed of the vulnerability. "It was both enjoyable and exciting to work with the company on this,” said Toro.
The statement said Mastercard updated relevant safeguards and asked the researchers to try the same attack again, and this time it failed.
The researchers will present their paper at the USENIX Security ’21 symposium in August.