Position Statement in RFID S&P Panel: RFID and the Middleman
Existing bank-card payment systems, such as EMV, have two serious vulnerabilities: the user does not have a trustworthy interface, and the protocols are vulnerable in a number of ways to man-in-the-middle attacks. Moving to RFID payments may, on the one hand, let bank customers use their mobile phones to make payments, which will go a fair way towards fixing the interface problem; on the other hand, protocol vulnerabilities may become worse. By 2011 the NFC vendors hope there will be 500,000,000 NFC-enabled mobile phones in the world. If these devices can act as cards or terminals, can be programmed by their users, and can communicate with each other, then they will provide a platform for deploying all manner of protocol attacks. Designing the security protocols to mitigate such attacks may be difficult. First, it will include most of the hot topics of IT policy over the last ten years (from key escrow through DRM to platform trust and accessory control) as subproblems. Second, the incentives may lead the many players to try to dump the liability on each other, leading to overall system security that is equivalent to the weakest link rather than to sum-of-efforts and is thus suboptimal.
KeywordsMobile Phone Credit Card Message Authentication Code Bank Customer Payment Protocol
Unable to display preview. Download preview PDF.
- 1.Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R.J., Rivest, R.:“Phish and Chips”. In: Security Protocols Workshop (March 2006), http://www.ross-anderson.com
- 3.Anderson, R.J.: Security Engineering – A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)Google Scholar
- 5.Anderson, R.J., Bond, M.: The Man-in-the-Middle Defence. In: Security Protocols Workshop (March 2006), http://www.ross-anderson.com
- 6.Baard, M.: Will new RFID technology help or hinder security? (April 27, 2005), http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1083417,00.html
- 7.Heydt-Benjamin, T.S., Bailey, D.V., Fu, K., Juels, A., O’Hare, T.: Vulnerabilities in First-Generation RFID-enabled Credit Cards. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 2–14. Springer, Heidelberg (2007)Google Scholar
- 8.Jayawardhana, W.: Tamil Tigers suspected of scamming millions in Britain, http://lankapage.wordpress.com/2007/01/17/
- 9.Murdoch, S.J.: Chip & PIN relay attacks (February 6, 2007), http://www.lightbluetouchpaper.org/
- 10.Near Field Communication and the NFC Forum: The Keys to Truly Interoperable Communications (2006), www.nfc-forum.org
- 11.Clonavano carte con il bluetooth Scoperta nuova truffa telematica. In: la Repubblica (September 4, 2006), http://www.repubblica.it/2006/09/sezioni/cronaca/truffa-blue/truffa-blue/truffa-blue.html
- 12.Shoesmith, K.: Garage Scam funded Terror Group, Hull Daily Mail, p. 1, (January 16, 2007), http://www.srilanka-botschaft.de/NEWSupdates_neu/Press_Releases/Press_Pol_Government_Statement_070119bE.htm
- 13.Varian, H.: System Reliability and Free Riding, http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/49.pdf