Abstract
Contactless card payments are being introduced around the world allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Contactless transactions do not require verification of the cardholder’s PIN. However our research has found the redundant verify PIN functionality is present on the most commonly issued contactless credit and debit cards currently in circulation in the UK. This paper presents a plausible attack scenario which exploits contactless verify PIN to give unlimited attempts to guess the cardholder’s PIN without their knowledge. It also gives experimental data to demonstrate the practical viability of the attack as well as references to support our argument that contactless verify PIN is redundant functionality which compromises the security of payment cards and the cardholder.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Advanced Card Systems: ACR122U NFC Reader Application Programming Interface (2011), http://www.acs.com.hk/drivers/eng/API_ACR122U_v2.00.pdf (accessed January 29, 2013)
Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)
Choudary, O.S.: The Smart Card Detective: a hand-held EMV interceptor, Cambridge (2010)
Drimer, S., Murdoch, S.: Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks. In: USENIX Security Symposium (2006)
EMVCo. EMV Specifications for Payment Systems, Books 1,2,3 and 4, Version 4.3 (2011)
EMVCo. EMV Contactless Specifications for Payment Systems, Books A,B,C-1,C-2,C-3,C-4 and D, Version 2.2 (2012)
Emms, M.: Practical Attack on Contactless Payment Cards. In: HCI 2011 Workshop - Heath, Wealth and Identity Theft (2011)
Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Potential Misuse of NFC Enabled Mobile Phones with Embedded Security Elements as Contactless Attack Platforms. In: International Conference for Internet Technology and Secured Transactions (2009)
Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones (2011)
MasterCard: PayPass - M/Chip Acquirer Implementation Requirements (2006)
Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: IEEE Symposium on Security and Privacy (2010)
NXP PN532 User Manual (2007), http://www.adafruit.com/datasheets/pn532um.pdf (accessed January 29, 2013)
Oracle: Java Smart Card I/O API (2012), http://docs.oracle.com/javase/7/docs/jre/api/security/smartcardio/spec/javax/smartcardio/package-summary.html (accessed January 29, 2013)
Willey, G.: PIN Number burglar used victims’ card. Newcastle Evening Chronicle (April 27, 2012)
Worldwide EMV Deployment (2011), http://www.emvco.com/about_emvco.aspx?id=202 (accessed January 29, 2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Emms, M., Arief, B., Little, N., van Moorsel, A. (2013). Risks of Offline Verify PIN on Contactless Cards. In: Sadeghi, AR. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7859. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39884-1_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-39884-1_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39883-4
Online ISBN: 978-3-642-39884-1
eBook Packages: Computer ScienceComputer Science (R0)