Risks of Offline Verify PIN on Contactless Cards

  • Martin Emms
  • Budi Arief
  • Nicholas Little
  • Aad van Moorsel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7859)


Contactless card payments are being introduced around the world allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Contactless transactions do not require verification of the cardholder’s PIN. However our research has found the redundant verify PIN functionality is present on the most commonly issued contactless credit and debit cards currently in circulation in the UK. This paper presents a plausible attack scenario which exploits contactless verify PIN to give unlimited attempts to guess the cardholder’s PIN without their knowledge. It also gives experimental data to demonstrate the practical viability of the attack as well as references to support our argument that contactless verify PIN is redundant functionality which compromises the security of payment cards and the cardholder.


Contactless Payments Verify PIN NFC EMV Chip & PIN Credit Card Debit Card Card Payment 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Advanced Card Systems: ACR122U NFC Reader Application Programming Interface (2011), (accessed January 29, 2013)
  2. 2.
    Bonneau, J., Preibusch, S., Anderson, R.: A birthday present every eleven wallets? The security of customer-chosen banking PINs. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 25–40. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Choudary, O.S.: The Smart Card Detective: a hand-held EMV interceptor, Cambridge (2010)Google Scholar
  4. 4.
    Drimer, S., Murdoch, S.: Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks. In: USENIX Security Symposium (2006)Google Scholar
  5. 5.
    EMVCo. EMV Specifications for Payment Systems, Books 1,2,3 and 4, Version 4.3 (2011)Google Scholar
  6. 6.
    EMVCo. EMV Contactless Specifications for Payment Systems, Books A,B,C-1,C-2,C-3,C-4 and D, Version 2.2 (2012)Google Scholar
  7. 7.
    Emms, M.: Practical Attack on Contactless Payment Cards. In: HCI 2011 Workshop - Heath, Wealth and Identity Theft (2011)Google Scholar
  8. 8.
    Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Potential Misuse of NFC Enabled Mobile Phones with Embedded Security Elements as Contactless Attack Platforms. In: International Conference for Internet Technology and Secured Transactions (2009)Google Scholar
  9. 9.
    Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones (2011)Google Scholar
  10. 10.
    MasterCard: PayPass - M/Chip Acquirer Implementation Requirements (2006)Google Scholar
  11. 11.
    Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is Broken. In: IEEE Symposium on Security and Privacy (2010)Google Scholar
  12. 12.
    NXP PN532 User Manual (2007), (accessed January 29, 2013)
  13. 13.
  14. 14.
    Willey, G.: PIN Number burglar used victims’ card. Newcastle Evening Chronicle (April 27, 2012)Google Scholar
  15. 15.
    Worldwide EMV Deployment (2011), (accessed January 29, 2013)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Martin Emms
    • 1
  • Budi Arief
    • 1
  • Nicholas Little
    • 1
  • Aad van Moorsel
    • 1
  1. 1.School of Computing ScienceNewcastle UniversityNewcastle upon TyneUK

Personalised recommendations