Skip to main content
SpringerLink
Log in

NFC Payment Spy: A Privacy Attack on Contactless Payments

  • Conference paper
  • First Online:
Security Standardisation Research (SSR 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10074))

Included in the following conference series:

Abstract

In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV’s card collision algorithm, nor does it match the card collision procedure specified in ISO.

Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user’s privacy by collecting the user’s payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66 % when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    theukcardsassociation.org.uk/contactless_contactless_statistics/.

  2. 2.

    nfcworld.com/nfc-phones-list/.

  3. 3.

    For the rest of this paper, unless noted otherwise, by ISO standard we mean ISO/IEC 14443, and by EMV standard, we mean EMV Contactless Specifications.

  4. 4.

    In the rest of this paper unless noted otherwise, by bank card we mean contactless payment card.

  5. 5.

    developer.android.com/reference/android/nfc/Tag.html#getId.

  6. 6.

    theukcardsassociation.org.uk/Contactless_(our_views)/index.asp.

References

  1. Host-based card emulation. http://developer.android.com/guide/topics/connectivity/nfc/hce.html.

  2. International Organization for Standardization, BS ISO, IEC 14443–1: 2008+A1: 2012 Identification cards. Contactless integrated circuit cards. Proximity cards. Physical characteristics (2012). http://www.bsol.bsigroup.com

  3. International Organization for Standardization, BS ISO, IEC 14443–2: 2010+A2: 2012 Identification cards. Contactless integrated circuit cards. Proximity cards. Radio frequency power and signal interface (2012). http://www.bsol.bsigroup.com

  4. International Organization for Standardization, BS ISO, IEC 14443–3: 2011+A6: 2014 Identification cards. Contactless integrated circuit cards. Proximity cards. Initialization and anticollision (2014). http://www.bsol.bsigroup.com

  5. International Organization for Standardization, BS ISO, IEC 14443–4: 2008+A4: 2014 Identification cards. Contactless integrated circuit cards. Proximity cards. Transmission protocol (2014). http://www.bsol.bsigroup.com

  6. EMV Contactless Specifications for Payment Systems, Book A: Architecture and General Requirements (2015). http://www.emvco.com/specifications.aspx?id=21

  7. EMV Contactless Specifications for Payment Systems, Book B: Entry Point (2015). http://www.emvco.com/specifications.aspx?id=21

  8. EMV Contactless Specifications for Payment Systems, Book C2: Kernel 2 Specification (2015). http://www.emvco.com/specifications.aspx?id=21

  9. EMV Contactless Specifications for Payment Systems, Book C3: Kernel 3 Specification (2015). http://www.emvco.com/specifications.aspx?id=21

  10. EMV Contactless Specifications for Payment Systems, Book D: Contactless Communication Protocol (2015). http://www.emvco.com/specifications.aspx?id=21

  11. EMV Integrated Circuit Card Specifications for Payment Systems, Book 3 (2011). http://www.emvco.com/specifications.aspx?id=223

  12. International Organization for Standardization, BS ISO, IEC 7816–4: 2013, Identification cards. Integrated circuit cards. Organization, security and commands for interchange (2013). http://www.bsol.bsigroup.com

  13. Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 41–50. ACM (2012)

    Google Scholar 

  14. Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C.: “little brothers watching you”: Raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS 2013, pp. 12:1–12:11. ACM, New York (2013)

    Google Scholar 

  15. Cai, L., Chen, H.: Touchlogger: inferring keystrokes on touch screen from smartphone motion. In: HotSec (2011)

    Google Scholar 

  16. Curphey, M.: Card clash, what is it, and how to avoid ir (2014). http://uk.creditcards.com/credit-card-news/what-is-card-clash-and-how-to-avoid-it-1372.php

  17. Emms, M., Arief, B., Little, N., Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313–321. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39884-1_26

    Chapter  Google Scholar 

  18. Halevi, T., Ma, D., Saxena, N., Xiang, T.: Secure proximity detection for NFC devices based on ambient sensor data. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 379–396. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33167-1_22

    Chapter  Google Scholar 

  19. Li, H., Ma, D., Saxena, N., Shrestha, B., Zhu, Y.: Tap-wave-rub: lightweight malware prevention for smartphones using intuitive human gestures. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2013, pp. 25–30. ACM, New York (2013)

    Google Scholar 

  20. Marshall, G.: Travel using contactless cards: an update from tfl (2014). http://londonist.com/2014/07/travel-using-contactless-cards-an-update-from-tfl

  21. Mehrnezhad, M., Hao, F., Shahandashti, S.F.: Tap-tap and pay (TTP): preventing the mafia attack in NFC payment. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 21–39. Springer, Heidelberg (2015). doi:10.1007/978-3-319-27152-1_2

    Chapter  Google Scholar 

  22. Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: Touchsignatures: identification of user touch actions based on mobile sensors via javascript. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, pp. 673–673. ACM, New York (2015)

    Google Scholar 

  23. Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: Touchsignatures: identification of user touch actions and pins based on mobile sensor data via javascript. J. Inf. Secur. Appl. 26, 23–38 (2016)

    Google Scholar 

  24. Miluzzo, E., Varshavsky, A., Balakrishnan, S., Choudhury, R.R.: Tapprints: your finger taps have fingerprints. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pp. 323–336. ACM (2012)

    Google Scholar 

  25. Morley, K.: Contactless cards: how to avoid paying twice (2014). http://www.telegraph.co.uk/finance/personalfinance/money-saving-tips/11215583/Contactless-cards-how-to-avoid-paying-twice.html

  26. ISO 14443, ISO 18092, Type-A, Type-B, Type-F, Felica, Calypso NFCIP, NFC-HELP! (2009). http://www.nfc.cc/2009/01/03/iso-14443-iso-18092-type-a-type-b-type-f-felica-calypso-nfcip-nfc-help/

  27. AN10927, MIFARE and handling of UIDs. By NXP, Company Public (2013)

    Google Scholar 

  28. Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: Accessory: password inference using accelerometers on smartphones. In: Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, p. 9. ACM (2012)

    Google Scholar 

  29. Saul, H.: Oyster card users pay up to £91 more each week than peopleusing new contactless payment (2014). http://www.independent.co.uk/news/uk/home-news/oyster-card-users-pay-up-to-91-more-each-week-than-people-using-new-contactless-payment-9843642.htmll

  30. Shrestha, B., Saxena, N., Truong, H.T.T., Asokan, N.: Drone to the rescue: relay-resilient authentication using ambient multi-sensing. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 349–364. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45472-5_23

    Google Scholar 

  31. Simon, L., Anderson, R.: Pin skimmer: inferring pins through the camera and microphone. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2013, pp. 67–78. ACM, New York (2013)

    Google Scholar 

  32. Spreitzer, R.: Pin skimming: exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2014, pp. 51–62. ACM, New York (2014)

    Google Scholar 

  33. Why contactless cards can leave you with a losing deal (2014). http://www.theguardian.com/money/2013/may/25/contactless-cards

  34. Watch out for card clash. https://tfl.gov.uk/fares-and-payments/contactless/card-clash

  35. Vila, J., Rodríguez, R.J.: Practical experiences on NFC relay attacks with android. In: Mangard, S., Schaumont, P. (eds.) RFIDSec 2015. LNCS, vol. 9440, pp. 87–103. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24837-0_6

    Google Scholar 

  36. Xu, Z., Bai, K., Zhu, S.: Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 113–124. ACM (2012)

    Google Scholar 

Download references

Acknowledgement

We would like to thank Dr. Michael Ward from EMV and Digital Devices for his valuable help towards our better understanding of EMV contactless specifications. We would like to thank Dr. Martin Emms and Mr. Ehsan Toreini from Newcastle University for their help on performing the experiments of this work. We also thank all the anonymous reviewers of this paper. All experiments gained approval through Newcastle University’s research ethics processes. Feng Hao was supported by ERC Starting Grant No 306994, Aad van Moorsel was supported by EPSRC grant K006568.

Author information

Authors and Affiliations

  1. School of Computing Science, Newcastle University, Newcastle upon Tyne, UK

    Maryam Mehrnezhad, Mohammed Aamir Ali, Feng Hao & Aad van Moorsel

Authors
  1. Maryam Mehrnezhad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammed Aamir Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Feng Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aad van Moorsel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maryam Mehrnezhad .

Editor information

Editors and Affiliations

  1. Computer Security Division, NIST, Gaithersburg, Maryland, USA

    Lidong Chen

  2. Cisco Systems Inc., San Jose, USA

    David McGrew

  3. University of London, Egham, United Kingdom

    Chris Mitchell

Appendices

A Experiment Results

In this section, we provide the detailed results of our Card and Phone Collision experiment. These results are presented in Table 4.

Table 4. Results of experiment A
Full size table

B EMV and ISO Flowcharts

The collision detection procedure of EMV specification and Anticollision loop flowchart of ISO are presented in Figs. 5 and 6, respectively.

Fig. 5.
figure 5

Type A collision detection, taken from EMV contactless Book D.

Full size image
Fig. 6.
figure 6

Anticollision loop, flowchart for PCD, taken from ISO/IEC 14443-3.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Mehrnezhad, M., Ali, M.A., Hao, F., van Moorsel, A. (2016). NFC Payment Spy: A Privacy Attack on Contactless Payments. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham. https://doi.org/10.1007/978-3-319-49100-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49100-4_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49099-1

  • Online ISBN: 978-3-319-49100-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation