Top

Published in:

2018 | OriginalPaper | Chapter

Secure Contactless Payment

Authors : Handan Kılınç, Serge Vaudenay

Published in: Information Security and Privacy

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

A contactless payment lets a card holder execute payment without any interaction (e.g., entering PIN or signing) between the terminal and the card holder. Even though the security is the first priority in a payment system, the formal security model of contactless payment does not exist. Therefore, in this paper, we design an adversarial model and define formally the contactless-payment security against malicious cards and malicious terminals including relay attacks. Accordingly, we design a contactless-payment protocol and show its security in our security model. At the end, we analyze EMV-contactless which is a commonly used specification by most of the mobile contactless-payment systems and credit cards in Europe. We find that it is not secure against malicious cards. We also prove its security against malicious terminals in our model. This type of cryptographic proof has not been done before for the EMV specification.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Post-Quantum One-Time Linkable Ring Signature and Application to Ring Confidential Transactions in Blockchain (Lattice RingCT v1.0)

next chapter New Attacks and Secure Design for Anonymous Distance-Bounding

\( \mathsf {Out}_I = 0 \) or \( \mathsf {Out}_T = 0\) mean canceling and \( \mathsf {Out}_I = 1 \) or \( \mathsf {Out}_T = 1\) mean accepting.

The \( \mathsf {Policy} \) checks the execution right of a card depending on the bank policy. So, we do not discuss about how this verification happens.

Contactless payment market by solution (payment terminal, mobile payment, transaction and data management, security and fraud management), service (professional, managed), payment mode (mobile handsets, smart cards), vertical - global forecast to 2021. https://www.marketsandmarkets.com/Market-Reports/contactless-payments-market-1313.html

EMV Acquirer and Terminal Security Guidelines

EMV Contactless Specifications for Payment Systems, Book C-2: Kernel 2 Specification

EMV Integrated Circuit Card Specifications for Payment Systems, Book 2: Security and Key Management

EMVCo: EMV Contactless Specifications for Payment Systems, Version 2.4 (2014)

Avoine, G., Bultel, X., Gambs, S., Gérault, D., Lafourcade, P., Onete, C., Robert, J.-M.: A terrorist-fraud resistant and extractor-free anonymous distance-bounding protocol. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 800–814. ACM (2017)

Bond, M., Choudary, M.O., Murdoch, S.J., Skorobogatov, S., Anderson, R.: Be prepared: the EMV preplay attack. IEEE Secur. Priv. 13(2), 56–64 (2015)CrossRef

Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S., Anderson, R.: Chip and skim: cloning EMV cards with the pre-play attack. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 49–64. IEEE (2014)

Boureanu, I., Mitrokotsa, A., Vaudenay, S.: Secure and lightweight distance-bounding. In: Avoine, G., Kara, O. (eds.) LightSec 2013. LNCS, vol. 8162, pp. 97–113. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40392-7_8CrossRefMATH

10.

Boureanu, I., Vaudenay, S.: Optimal proximity proofs. In: Lin, D., Yung, M., Zhou, J. (eds.) Inscrypt 2014. LNCS, vol. 8957, pp. 170–190. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16745-9_10CrossRef

11.

Brands, S., Chaum, D.: Distance-bounding protocols (extended abstract). In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_30CrossRef

12.

Bultel, X., Gambs, S., Gérault, D., Lafourcade, P., Onete, C., Robert, J.-M.: A prover-anonymous and terrorist-fraud resistant distance-bounding protocol. In: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pp. 121–133. ACM (2016)

13.

Chandran, N., Goyal, V., Moriarty, R., Ostrovsky, R.: Position based cryptography. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 391–407. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_23CrossRef

14.

Chothia, T., Garcia, F.D., de Ruiter, J., van den Breekel, J., Thompson, M.: Relay cost bounding for contactless EMV payments. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 189–206. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7_11CrossRef

15.

Clulow, J., Hancke, G.P., Kuhn, M.G., Moore, T.: So near and yet so far: distance-bounding attacks in wireless networks. In: Buttyán, L., Gligor, V.D., Westhoff, D. (eds.) ESAS 2006. LNCS, vol. 4357, pp. 83–97. Springer, Heidelberg (2006). https://doi.org/10.1007/11964254_9CrossRef

16.

Cremers, C., Rasmussen, K.B., Schmidt, B., Capkun, S.: Distance hijacking attacks on distance bounding protocols. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 113–127. IEEE (2012)

17.

Drimer, S., Murdoch, S.J., et al.: Keep your enemies close: distance bounding against smartcard relay attacks. In: USENIX security symposium, vol. 312 (2007)

18.

Francillon, A., Danev, B., Capkun, S.: Relay attacks on passive keyless entry and start systems in modern cars. In: NDSS (2011)

19.

Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical NFC peer-to-peer relay attack using mobile phones. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 35–49. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16822-2_4CrossRef

20.

Kılınç, H., Vaudenay, S.: Efficient public-key distance bounding protocol. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 873–901. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_29CrossRef

21.

Kılınç, H., Vaudenay, S.: Contactless access control based on distance bounding. In: Nguyen, P., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 195–213. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69659-1_11CrossRef

22.

Markantonakis, K., Francis, L., Hancke, G., Mayes, K.: Practical relay attack on contactless transactions by using NFC mobile phones. In: Radio Frequency Identification System Security: RFIDsec, vol. 12, p. 21 (2012)

23.

Roland, M., Langer, J.: Cloning credit cards: a combined pre-play and downgrade attack on EMV contactless. In: WOOT (2013)

24.

Vaudenay, S.: On modeling terrorist frauds. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 1–20. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41227-1_1CrossRefMATH

25.

Vaudenay, S.: On privacy for RFID. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 3–20. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26059-4_1CrossRef

26.

Vaudenay, S.: Private and secure public-key distance bounding: application to NFC payment. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 207–216. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7_12CrossRef

27.

Vaudenay, S.: Sound proof of proximity of knowledge. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 105–126. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26059-4_6CrossRef

28.

Weiß, M.: Performing relay attacks on ISO 14443 contactless smart cards using NFC mobile equipment. Master’s thesis in Computer Science, University of Munich (2010)

Title: Secure Contactless Payment
Authors: Handan Kılınç
Serge Vaudenay
Publisher: Springer International Publishing
Book: Information Security and Privacy
Print ISBN: 978-3-319-93637-6

Electronic ISBN: 978-3-319-93638-3

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-93638-3_33

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner