NFC Payment Spy: A Privacy Attack on Contactless Payments

  • Maryam Mehrnezhad
  • Mohammed Aamir Ali
  • Feng Hao
  • Aad van Moorsel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10074)

Abstract

In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV’s card collision algorithm, nor does it match the card collision procedure specified in ISO.

Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user’s privacy by collecting the user’s payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66 % when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.

Keywords

NFC payment NFC phone Contactless payment Privacy attack EMV Card collision 

Notes

Acknowledgement

We would like to thank Dr. Michael Ward from EMV and Digital Devices for his valuable help towards our better understanding of EMV contactless specifications. We would like to thank Dr. Martin Emms and Mr. Ehsan Toreini from Newcastle University for their help on performing the experiments of this work. We also thank all the anonymous reviewers of this paper. All experiments gained approval through Newcastle University’s research ethics processes. Feng Hao was supported by ERC Starting Grant No 306994, Aad van Moorsel was supported by EPSRC grant K006568.

References

  1. 1.
  2. 2.
    International Organization for Standardization, BS ISO, IEC 14443–1: 2008+A1: 2012 Identification cards. Contactless integrated circuit cards. Proximity cards. Physical characteristics (2012). http://www.bsol.bsigroup.com
  3. 3.
    International Organization for Standardization, BS ISO, IEC 14443–2: 2010+A2: 2012 Identification cards. Contactless integrated circuit cards. Proximity cards. Radio frequency power and signal interface (2012). http://www.bsol.bsigroup.com
  4. 4.
    International Organization for Standardization, BS ISO, IEC 14443–3: 2011+A6: 2014 Identification cards. Contactless integrated circuit cards. Proximity cards. Initialization and anticollision (2014). http://www.bsol.bsigroup.com
  5. 5.
    International Organization for Standardization, BS ISO, IEC 14443–4: 2008+A4: 2014 Identification cards. Contactless integrated circuit cards. Proximity cards. Transmission protocol (2014). http://www.bsol.bsigroup.com
  6. 6.
    EMV Contactless Specifications for Payment Systems, Book A: Architecture and General Requirements (2015). http://www.emvco.com/specifications.aspx?id=21
  7. 7.
    EMV Contactless Specifications for Payment Systems, Book B: Entry Point (2015). http://www.emvco.com/specifications.aspx?id=21
  8. 8.
    EMV Contactless Specifications for Payment Systems, Book C2: Kernel 2 Specification (2015). http://www.emvco.com/specifications.aspx?id=21
  9. 9.
    EMV Contactless Specifications for Payment Systems, Book C3: Kernel 3 Specification (2015). http://www.emvco.com/specifications.aspx?id=21
  10. 10.
    EMV Contactless Specifications for Payment Systems, Book D: Contactless Communication Protocol (2015). http://www.emvco.com/specifications.aspx?id=21
  11. 11.
    EMV Integrated Circuit Card Specifications for Payment Systems, Book 3 (2011). http://www.emvco.com/specifications.aspx?id=223
  12. 12.
    International Organization for Standardization, BS ISO, IEC 7816–4: 2013, Identification cards. Integrated circuit cards. Organization, security and commands for interchange (2013). http://www.bsol.bsigroup.com
  13. 13.
    Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 41–50. ACM (2012)Google Scholar
  14. 14.
    Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C.: “little brothers watching you”: Raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS 2013, pp. 12:1–12:11. ACM, New York (2013)Google Scholar
  15. 15.
    Cai, L., Chen, H.: Touchlogger: inferring keystrokes on touch screen from smartphone motion. In: HotSec (2011)Google Scholar
  16. 16.
    Curphey, M.: Card clash, what is it, and how to avoid ir (2014). http://uk.creditcards.com/credit-card-news/what-is-card-clash-and-how-to-avoid-it-1372.php
  17. 17.
    Emms, M., Arief, B., Little, N., Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313–321. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39884-1_26 CrossRefGoogle Scholar
  18. 18.
    Halevi, T., Ma, D., Saxena, N., Xiang, T.: Secure proximity detection for NFC devices based on ambient sensor data. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 379–396. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-33167-1_22 CrossRefGoogle Scholar
  19. 19.
    Li, H., Ma, D., Saxena, N., Shrestha, B., Zhu, Y.: Tap-wave-rub: lightweight malware prevention for smartphones using intuitive human gestures. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2013, pp. 25–30. ACM, New York (2013)Google Scholar
  20. 20.
    Marshall, G.: Travel using contactless cards: an update from tfl (2014). http://londonist.com/2014/07/travel-using-contactless-cards-an-update-from-tfl
  21. 21.
    Mehrnezhad, M., Hao, F., Shahandashti, S.F.: Tap-tap and pay (TTP): preventing the mafia attack in NFC payment. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 21–39. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-27152-1_2 CrossRefGoogle Scholar
  22. 22.
    Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: Touchsignatures: identification of user touch actions based on mobile sensors via javascript. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2015, pp. 673–673. ACM, New York (2015)Google Scholar
  23. 23.
    Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: Touchsignatures: identification of user touch actions and pins based on mobile sensor data via javascript. J. Inf. Secur. Appl. 26, 23–38 (2016)Google Scholar
  24. 24.
    Miluzzo, E., Varshavsky, A., Balakrishnan, S., Choudhury, R.R.: Tapprints: your finger taps have fingerprints. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pp. 323–336. ACM (2012)Google Scholar
  25. 25.
  26. 26.
    ISO 14443, ISO 18092, Type-A, Type-B, Type-F, Felica, Calypso NFCIP, NFC-HELP! (2009). http://www.nfc.cc/2009/01/03/iso-14443-iso-18092-type-a-type-b-type-f-felica-calypso-nfcip-nfc-help/
  27. 27.
    AN10927, MIFARE and handling of UIDs. By NXP, Company Public (2013)Google Scholar
  28. 28.
    Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: Accessory: password inference using accelerometers on smartphones. In: Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, p. 9. ACM (2012)Google Scholar
  29. 29.
    Saul, H.: Oyster card users pay up to £91 more each week than peopleusing new contactless payment (2014). http://www.independent.co.uk/news/uk/home-news/oyster-card-users-pay-up-to-91-more-each-week-than-people-using-new-contactless-payment-9843642.htmll
  30. 30.
    Shrestha, B., Saxena, N., Truong, H.T.T., Asokan, N.: Drone to the rescue: relay-resilient authentication using ambient multi-sensing. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 349–364. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45472-5_23 Google Scholar
  31. 31.
    Simon, L., Anderson, R.: Pin skimmer: inferring pins through the camera and microphone. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2013, pp. 67–78. ACM, New York (2013)Google Scholar
  32. 32.
    Spreitzer, R.: Pin skimming: exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2014, pp. 51–62. ACM, New York (2014)Google Scholar
  33. 33.
    Why contactless cards can leave you with a losing deal (2014). http://www.theguardian.com/money/2013/may/25/contactless-cards
  34. 34.
  35. 35.
    Vila, J., Rodríguez, R.J.: Practical experiences on NFC relay attacks with android. In: Mangard, S., Schaumont, P. (eds.) RFIDSec 2015. LNCS, vol. 9440, pp. 87–103. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-24837-0_6 Google Scholar
  36. 36.
    Xu, Z., Bai, K., Zhu, S.: Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 113–124. ACM (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Maryam Mehrnezhad
    • 1
  • Mohammed Aamir Ali
    • 1
  • Feng Hao
    • 1
  • Aad van Moorsel
    • 1
  1. 1.School of Computing ScienceNewcastle UniversityNewcastle upon TyneUK

Personalised recommendations