Abstract
In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV’s card collision algorithm, nor does it match the card collision procedure specified in ISO.
Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user’s privacy by collecting the user’s payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66 % when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
For the rest of this paper, unless noted otherwise, by ISO standard we mean ISO/IEC 14443, and by EMV standard, we mean EMV Contactless Specifications.
- 4.
In the rest of this paper unless noted otherwise, by bank card we mean contactless payment card.
- 5.
- 6.
References
Host-based card emulation. http://developer.android.com/guide/topics/connectivity/nfc/hce.html.
International Organization for Standardization, BS ISO, IEC 14443–1: 2008+A1: 2012 Identification cards. Contactless integrated circuit cards. Proximity cards. Physical characteristics (2012). http://www.bsol.bsigroup.com
International Organization for Standardization, BS ISO, IEC 14443–2: 2010+A2: 2012 Identification cards. Contactless integrated circuit cards. Proximity cards. Radio frequency power and signal interface (2012). http://www.bsol.bsigroup.com
International Organization for Standardization, BS ISO, IEC 14443–3: 2011+A6: 2014 Identification cards. Contactless integrated circuit cards. Proximity cards. Initialization and anticollision (2014). http://www.bsol.bsigroup.com
International Organization for Standardization, BS ISO, IEC 14443–4: 2008+A4: 2014 Identification cards. Contactless integrated circuit cards. Proximity cards. Transmission protocol (2014). http://www.bsol.bsigroup.com
EMV Contactless Specifications for Payment Systems, Book A: Architecture and General Requirements (2015). http://www.emvco.com/specifications.aspx?id=21
EMV Contactless Specifications for Payment Systems, Book B: Entry Point (2015). http://www.emvco.com/specifications.aspx?id=21
EMV Contactless Specifications for Payment Systems, Book C2: Kernel 2 Specification (2015). http://www.emvco.com/specifications.aspx?id=21
EMV Contactless Specifications for Payment Systems, Book C3: Kernel 3 Specification (2015). http://www.emvco.com/specifications.aspx?id=21
EMV Contactless Specifications for Payment Systems, Book D: Contactless Communication Protocol (2015). http://www.emvco.com/specifications.aspx?id=21
EMV Integrated Circuit Card Specifications for Payment Systems, Book 3 (2011). http://www.emvco.com/specifications.aspx?id=223
International Organization for Standardization, BS ISO, IEC 7816–4: 2013, Identification cards. Integrated circuit cards. Organization, security and commands for interchange (2013). http://www.bsol.bsigroup.com
Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 41–50. ACM (2012)
Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C.: “little brothers watching you”: Raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS 2013, pp. 12:1–12:11. ACM, New York (2013)
Cai, L., Chen, H.: Touchlogger: inferring keystrokes on touch screen from smartphone motion. In: HotSec (2011)
Curphey, M.: Card clash, what is it, and how to avoid ir (2014). http://uk.creditcards.com/credit-card-news/what-is-card-clash-and-how-to-avoid-it-1372.php
Emms, M., Arief, B., Little, N., Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313–321. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39884-1_26
Halevi, T., Ma, D., Saxena, N., Xiang, T.: Secure proximity detection for NFC devices based on ambient sensor data. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 379–396. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33167-1_22
Li, H., Ma, D., Saxena, N., Shrestha, B., Zhu, Y.: Tap-wave-rub: lightweight malware prevention for smartphones using intuitive human gestures. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2013, pp. 25–30. ACM, New York (2013)
Marshall, G.: Travel using contactless cards: an update from tfl (2014). http://londonist.com/2014/07/travel-using-contactless-cards-an-update-from-tfl
Mehrnezhad, M., Hao, F., Shahandashti, S.F.: Tap-tap and pay (TTP): preventing the mafia attack in NFC payment. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 21–39. Springer, Heidelberg (2015). doi:10.1007/978-3-319-27152-1_2
Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: Touchsignatures: identification of user touch actions based on mobile sensors via javascript. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, pp. 673–673. ACM, New York (2015)
Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: Touchsignatures: identification of user touch actions and pins based on mobile sensor data via javascript. J. Inf. Secur. Appl. 26, 23–38 (2016)
Miluzzo, E., Varshavsky, A., Balakrishnan, S., Choudhury, R.R.: Tapprints: your finger taps have fingerprints. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pp. 323–336. ACM (2012)
Morley, K.: Contactless cards: how to avoid paying twice (2014). http://www.telegraph.co.uk/finance/personalfinance/money-saving-tips/11215583/Contactless-cards-how-to-avoid-paying-twice.html
ISO 14443, ISO 18092, Type-A, Type-B, Type-F, Felica, Calypso NFCIP, NFC-HELP! (2009). http://www.nfc.cc/2009/01/03/iso-14443-iso-18092-type-a-type-b-type-f-felica-calypso-nfcip-nfc-help/
AN10927, MIFARE and handling of UIDs. By NXP, Company Public (2013)
Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: Accessory: password inference using accelerometers on smartphones. In: Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, p. 9. ACM (2012)
Saul, H.: Oyster card users pay up to £91 more each week than peopleusing new contactless payment (2014). http://www.independent.co.uk/news/uk/home-news/oyster-card-users-pay-up-to-91-more-each-week-than-people-using-new-contactless-payment-9843642.htmll
Shrestha, B., Saxena, N., Truong, H.T.T., Asokan, N.: Drone to the rescue: relay-resilient authentication using ambient multi-sensing. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 349–364. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45472-5_23
Simon, L., Anderson, R.: Pin skimmer: inferring pins through the camera and microphone. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2013, pp. 67–78. ACM, New York (2013)
Spreitzer, R.: Pin skimming: exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2014, pp. 51–62. ACM, New York (2014)
Why contactless cards can leave you with a losing deal (2014). http://www.theguardian.com/money/2013/may/25/contactless-cards
Watch out for card clash. https://tfl.gov.uk/fares-and-payments/contactless/card-clash
Vila, J., Rodríguez, R.J.: Practical experiences on NFC relay attacks with android. In: Mangard, S., Schaumont, P. (eds.) RFIDSec 2015. LNCS, vol. 9440, pp. 87–103. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24837-0_6
Xu, Z., Bai, K., Zhu, S.: Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 113–124. ACM (2012)
Acknowledgement
We would like to thank Dr. Michael Ward from EMV and Digital Devices for his valuable help towards our better understanding of EMV contactless specifications. We would like to thank Dr. Martin Emms and Mr. Ehsan Toreini from Newcastle University for their help on performing the experiments of this work. We also thank all the anonymous reviewers of this paper. All experiments gained approval through Newcastle University’s research ethics processes. Feng Hao was supported by ERC Starting Grant No 306994, Aad van Moorsel was supported by EPSRC grant K006568.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Experiment Results
In this section, we provide the detailed results of our Card and Phone Collision experiment. These results are presented in Table 4.
B EMV and ISO Flowcharts
The collision detection procedure of EMV specification and Anticollision loop flowchart of ISO are presented in Figs. 5 and 6, respectively.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Mehrnezhad, M., Ali, M.A., Hao, F., van Moorsel, A. (2016). NFC Payment Spy: A Privacy Attack on Contactless Payments. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham. https://doi.org/10.1007/978-3-319-49100-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-49100-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49099-1
Online ISBN: 978-3-319-49100-4
eBook Packages: Computer ScienceComputer Science (R0)