No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Risks of Offline Verify PIN on Contactless Cards
Abstract
Contactless card payments are being introduced around the world allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Contactless transactions do not require verification of the cardholder’s PIN. However our research has found the redundant verify PIN functionality is present on the most commonly issued contactless credit and debit cards currently in circulation in the UK. This paper presents a plausible attack scenario which exploits contactless verify PIN to give unlimited attempts to guess the cardholder’s PIN without their knowledge. It also gives experimental data to demonstrate the practical viability of the attack as well as references to support our argument that contactless verify PIN is redundant functionality which compromises the security of payment cards and the cardholder.
... In principle, payment protocols are designed to be secure, with adequate and effective cryptographic methods employed to ensure confidentiality, integrity, authentication, identification, etc. In practice, relevant attacks [9,17,19,18] still occur in the industry, with financial fraud related to payment systems rising in the last few years: for example, in the UK, there has been a 80 percent increase in value of losses between 2011 and 2016, when the fraud losses were £618 million [24]. ...
... This has proved to be effective in both documenting decisions precisely [20,21,25], and detecting significant protocol flaws early in the development process [19,18], way before deployment or actual implementations. Specifically, it is a variation of a successful industry approach by Praxis (now Altran UK, see www.adacore.com/sparkpro/tokeneer), ...
The EMVCo (EMV® is a registered trademark or trademark of EMVCo, LLC in the US and other countries.) organisation (i.e. MasterCard, Visa, etc.) protocols facilitate worldwide interoperability of secure electronic payments. Despite recent advances, it has proved difficult for academia to provide an acceptable solution to construction of secure applications within industry’s constraints. In this paper, we describe a methodology we have applied to EMV1. It involves domain specific languages and verification tools targeting different analysis of interest. We are currently collaborating with EMVCo on their upcoming EMV® 2nd Generation (EMV2) specifications.
... Now, all that the culprit needs is to get a glimpse or an image of your debit card that contains your card number, expiry date and CCV number which is not a big deal considering the current technical advancements. It should be noted here, now the customer will be exposed to on-line frauds which requires the above mentioned obstacles [3], [4]. ...
... For the issue of speed of setting a transaction, the transaction initiator must be a merchant [3]. This is because the merchants generally possess a more reliable and continuous connection with the third party involved in the transaction, who could be either a bank or any other service provider. ...
Debit card or ATM card frauds had been a major sector of concern due to which Reserve Bank of India (RBI) has set new guidelines since December 1, 2013. Now you will have to enter your personal identification number (PIN) every time you swipe your card at any merchant outlet. Taking the existing state of affairs into consideration, in this paper the conventional security issues of the use of ATM and debit cards are discussed along with the feasibility of other alternatives. Then, the research paper will propose a model for secure use of the debit cards and ATM cards via Chaos function and QR code (DACQ model) that bolsters both speed and security without confounding the process or making it undesirable to users.
... Contactless cards are always on and a malicious reader in the proximity of such a device is able to trigger a response from the card, without the user's awareness. A number of security and privacy violations have been reported in the literature exploiting such unauthorised readings [17]. More security attacks include different types of relay attacks such as Man-in-The-Middle and Mafia attacks [18,21,30,35]. ...
... An advanced attack might even pretend to be the user's bank by presenting this shopping information to her and tricking her to reveal her credentials via social engineering techniques. This attack in this paper can be even more impactful if the malicious app turns into the reader mode and extracts the card's information as suggested by Emms et al. [17]. Once the information is extracted, the app goes to the card mode for the rest of the attack. ...
In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV’s card collision algorithm, nor does it match the card collision procedure specified in ISO.
Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user’s privacy by collecting the user’s payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66 % when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.
... Limit Bypass is considered "partially replicable", with the attack in [5] being patched and the attack in [13] being impossible to replicate (due to the removing of the offline PIN verification in contactless payment), while [6,7,12,20] are still replicable. These active threats can target both cards and phones, require two NFC readers, and can be executed without compromising terminals. ...
Contactless payment remains one of the most popular payment methods in the UK, accessible through contactless cards, mobile phones, and wearable devices. However, there are several vulnerabilities associated with this payment method, leading to various attacks. While the technical aspects of these attacks have been extensively studied in the literature, the user perspective remains relatively under-explored.In this paper, we study users' perceptions about contactless payment attacks and vulnerabilities. Initially, we assess the technical feasibility of the existing attacks on contactless payment systems. Subsequently, we present a user survey involving 150 participants from the UK, examining their perceptions of contactless payment systems and attacks. We explore their familiarity with the system, their concerns and understanding of the attack categories, and the protective steps they take. Finally, we compare users' perceptions with our evaluation of the technical feasibility of contactless payment attacks. We find that while users accurately interpret some attacks, they tend to overestimate certain attacks while underestimating others. In addition, in terms of protective actions, we find that despite the availability of effective protective measures, users tend to employ only basic steps to protect against attacks. These findings highlight a gap between the user's perception of contactless payment attacks and their technical feasibility. We offer a set of recommendations, including enhancements to the security of contactless payment systems as well as targeted education for users.
... It was precisely the use of contactless payment, as well as bank transactions via the Internet in general, that became particularly important during the coronavirus pandemic, where the non-cash payment method was emphasized, which made it imperative to provide additional protection of the channels through which tourists used to make transactions, as well as to generally increase the security of such transactions (Emms et al., 2013). However, despite this, through the research, it was identified that an insufficient number of authors perceive and research the importance of ensuring cyber security in tourist destinations, which can be an opportunity for new researchers who are just starting to research this area, but on the other hand, it can also represent a significant problem, since the lack of research can also mean the impossibility of practitioners creating protection mechanisms. ...
The topic of cyber security in tourism is of particular importance since tourists in foreign countries are one of the most vulnerable groups due to a lack of knowledge of languages, laws, etc. With the increase in the number of technologies that enable interactivity, contactless payments, i.e., informative content for tourists, risks for the security of tourists' data as well as risks related to the theft of data on tourists' bank cards are emerging. In order to identify the current knowledge, i.e., the current situation in the context of research on cyber security in tourism, a bibliometric analysis was conducted, which indicated that an insufficient number of authors research cyber security and that there is not a sufficient number of studies that would analyze the mechanisms and measures of increasing cyber security in tourism. The importance of researching cyber security in tourism is based on the fact that tourism is a particularly vulnerable and sensitive branch of the economy to risks that affect tourists as such, and that it can depend on the reputation of the country, institutions, or hotels. The bibliometric analysis conducted in this paper is significant for future researchers considering that it can serve as a basis for researchers' focus on specific areas of cyber security.
... It was precisely the use of contactless payment, as well as bank transactions via the Internet in general, that became particularly important during the coronavirus pandemic, where the non-cash payment method was emphasized, which made it imperative to provide additional protection of the channels through which tourists used to make transactions, as well as to generally increase the security of such transactions (Emms et al., 2013). However, despite this, through the research, it was identified that an insufficient number of authors perceive and research the importance of ensuring cyber security in tourist destinations, which can be an opportunity for new researchers who are just starting to research this area, but on the other hand, it can also represent a significant problem, since the lack of research can also mean the impossibility of practitioners creating protection mechanisms. ...
The topic of cyber security in tourism is of particular importance since tourists in foreign countries are one of the most vulnerable groups due to a lack of knowledge of languages, laws, etc. With the increase in the number of technologies that enable interactivity, contactless payments, i.e., informative content for tourists, risks for the security of tourists' data as well as risks related to the theft of data on tourists' bank cards are emerging. In order to identify the current knowledge, i.e., the current situation in the context of research on cyber security in tourism, a bibliometric analysis was conducted, which indicated that an insufficient number of authors research cyber security and that there is not a sufficient number of studies that would analyze the mechanisms and measures of increasing cyber security in tourism. The importance of researching cyber security in tourism is based on the fact that tourism is a particularly vulnerable and sensitive branch of the economy to risks that affect tourists as such, and that it can depend on the reputation of the country, institutions, or hotels. The bibliometric analysis conducted in this paper is significant for future researchers considering that it can serve as a basis for researchers' focus on specific areas of cyber security.
... They are responsible for major payment technologies, such as contact (Chip&Pin), contactless (Wave&Pay), 3D-Secure online payment validation, and so on. In practice, relevant attacks on EMV1 were discovered [2,4,6,5], with financial fraud related to payment systems rising in the last few years both in volume and type: for example, in the UK, there has been a 80% percent increase in value between 2011-16, when the fraud losses were £M618 [10]. ...
... Eavesdropping a acks occur when an adversary intercepts the radio frequency signals transmi ed between a POS terminal and a contactless payment card from a distant location. Haselsteiner and Beitfuß [29] rst describe eavesdropping as an important security issue a ecting wireless communication technologies in 2006 and ever since, there have been several research about electronic pickpocketing [17,39] and eavesdropping on contactless payment cards [3,26]. ...
Nowadays, contactless payments are becoming increasingly common as new smartphones, tablets, point-of-sale (POS) terminals and payment cards (often termed "tap-and-pay" cards) are designed to support Near Field Communication (NFC) technology. However, as NFC technology becomes pervasive, there have been concerns about how well NFC-enabled contactless payment systems protect individuals and organizations from emerging security and privacy threats. In this paper, we examine the security of contactless payment systems by considering the privacy threats and the different adversarial attacks that these systems must defend against. We focus our analysis on the underlying trust assumptions, security measures and technologies that form the basis on which contactless payment cards and NFC-enabled mobile wallets exchange sensitive transaction data with contactless POS terminals. We also explore the EMV and ISO standards for contactless payments and disclose their shortcomings with regards to enforcing security and privacy in contactless payment transactions. Our findings shed light on the discrepancies between the EMV and ISO standards, as well as how card issuing banks and mobile wallet providers configure their contactless payment cards and NFC-enabled mobile wallets based on these standards, respectively. These inconsistencies are disconcerting as they can be exploited by an adversary to compromise the integrity of contactless payment transactions.
Actas de las Jornadas Nacionales de Investigación en Ciberseguridad (JNIC) 2015
recent development emanating from RFID technology is Near Field Communication (NFC). Basically, NFC is a popular short range (< 10 cm) wireless communication technology with applications in areas sensitive to security and privacy concerns like contactless payment. Since NFC communications require very close proximity between two communicating devices (e.g., a smartcard and a terminal), it is generally believed that Man-in-the-Middle (MITM) attacks are practically infeasible here. Contrasting this belief, in this paper, we successfully establish MITM attack in NFC communications between a passive tag and an active terminal. We carefully present physical fundamentals of the attack, our engineering design, and results of successful attack implementation. We then identify a potential vulnerability in existing contactless payment protocols due to separation between card authentication and transaction authorization phases. We then show in this paper, how an attacker can compromise the integrity of contactless payment using a malicious MITM smartcard, and also present multiple attack/victim scenarios to demonstrate practicality of our contributions. We also conduct rigorous experimental studies to analyze both hardware and practical ramifications of our attack. Finally, we propose a countermeasure to detect the MITM attack based on experimental analysis, that does not demand any additional hardware.
3 Domain Secure 2.0 (3DS 2.0) is the most prominent user authentication protocol for credit card based online payment. 3DS 2.0 relies on risk assessment to decide whether to challenge the payment initiator for second factor authentication information (e.g., through a passcode). The 3DS 2.0 standard itself does not specify how to implement transaction risk assessment. The research questions addressed in this paper therefore are: how is transaction risk assessment implemented for current credit cards and are there practical exploits against the 3DS 2.0 risk assessment approach? We conduct a detailed reverse engineering study of 3DS 2.0 for payment using a browser, the first study of this kind. Through experiments with different cards, from different countries and for varying amounts, we deduct the data and decision making process that card issuers use in transaction risk assessment. We will see that card issuers differ considerable in terms of their risk appetite. We also demonstrate a practical impersonation attack against 3DS 2.0 that avoids being challenged for second factor authentication information, requiring no more data than obtained with the reverse engineering approach presented in this paper.
This paper looks at relay attacks against contactless payment cards, which could be used to wirelessly pickpocket money from victims. We discuss the two leading contactless EMV payment protocols (Visa’s payWave and MasterCard’s PayPass). Stopping a relay attack against cards using these protocols is hard: either the overhead of the communication is low compared to the (cryptographic) computation by the card or the messages can be cached before they are requested by the terminal. We propose a solution that fits within the EMV Contactless specification to make a payment protocol that is resistant to relay attacks from commercial off-the-shelf devices, such as mobile phones. This solution does not require significant changes to the cards and can easily be added to existing terminals. To prove that our protocol really does stop relay attacks, we develop a new method of automatically checking defences against relay attacks using the applied pi-calculus and the tool ProVerif.
Near Field Communication (NFC) is a short-range contactless communication standard recently emerging as cashless payment technology. However, NFC has been proved vulnerable to several threats, such as eavesdropping, data modification, and relay attacks. A relay attack forwards the entire wireless communication, thus communicating over larger distances. In this paper, we review and discuss feasibility limitations when performing these attacks in Google’s Android OS. We also perform an in-depth review of the Android implementation of the NFC stack. We show an experiment proving its feasibility using off-the-shelf NFC-enabled Android devices (i.e., no custom firmware nor root required). Thus, Android NFC-capable malicious software might appear before long to virtually pickpocket contactless payment cards within its proximity.
This paper introduces a new cardholder verification method using a multi possession-factor authentication with a distance bounding technique. It adds an extra level of security to the verification process and utilizes the idea of distance bounding which prevents many different security attacks. The proposed method gives the user the flexibility to add one or more extra devices and select the appropriate security level. This paper argues that the proposed method mitigates or removes many popular security attacks that are claimed to be effective in current card based payment systems, and it can help to reduce fraud on payment cards. Furthermore, the proposed method provides an alternative verification technique and enables cardholders with special needs to use the payment cards and make the payment system more accessible.
We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smart-phone unlock-codes. We use a regression model to identify a small num-ber of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11– 18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.
This paper describes a potential attack on EMV 1 contactless payment cards which is low cost, high return and relatively easy to implement. This could have a serious impact on the security of EMV cards because it requires little investment or expertise to carry out successful card fraud, leading to more attacks being attempted. 3D Secure 2 payment authentication addresses the issue, but will only resolve it once all websites are protected by 3D Secure. This paper proposes a low cost solution to address the vulnerability, in which contactless payments cards would only be active when the cardholder wants to make a payment.
Modern smartcards, capable of sophisticated cryptogra- phy, provide a high assurance of tamper resistance and are thus commonly used in payment applications. Al- though extracting secrets out of smartcards requires re- sources beyond the means of many would-be thieves, the manner in which they are used can be exploited for fraud. Cardholders authorize financial transactions by presenting the card and disclosing a PIN to a terminal without any assurance as to the amount being charged or who is to be paid, and have no means of discerning whether the terminal is authentic or not. Even the most advanced smartcards cannot protect customers from be- ing defrauded by the simple relaying of data from one location to another. We describe the development of such an attack, and show results from live experiments on the UK's EMV implementation, Chip & PIN. We dis- cuss previously proposed defences, and show that these cannot provide the required security assurances. A new defence based on a distance bounding protocol is de- scribed and implemented, which requires only modest alterations to current hardware and software. As far as we are aware, this is the first complete design and imple- mentation of a secure distance bounding protocol. Fu- ture smartcard generations could use this design to pro- vide cost-effective resistance to relay attacks, which are a genuine threat to deployed applications. We also discuss the security-economics impact to customers of enhanced authentication mechanisms.
EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the card that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV’s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV, we conclude that the protocol is broken. This failure is significant in the field of protocol design, and also has important public policy implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. It also demonstrates the need for the next version of EMV to be engineered properly.
In this paper we investigate the possibility that a Near Field Communication (NFC) enabled mobile phone, with an embedded Secure Element (SE), could be used as a mobile token cloning and skimming platform. We show how an attacker could use a NFC mobile phone as such an attack platform by exploiting the existing security controls of the embedded SE and the available contactless APIs. To illustrate the feasibility of these actions we also show how to practically skim and emulate certain tokens typically used in payment and access control applications with a NFC mobile phone. Although such attacks can also be implemented on other contactless platforms, such as custom-built card emulators and modified readers, the NFC-enabled mobile phone has a legitimate form factor, which would be accepted by merchants and arouse less suspicion in public. Finally, we propose several security countermeasures for NFC phones that could prevent such misuse.
EMV Specifications for Payment Systems
- Emvco
PIN Number burglar used victims’ card
- G Willey
EMV Contactless Specifications for Payment Systems
- Emvco