Abstract
The EMV contactless payment system has many independent parties: payment providers, smartphone companies, banks and regulators. EMVCo publishes a 15 book specification that these companies use to operate together. However, many of these parties have independently added additional features, such as Square restricting offline readers to phone transactions only, Apple, Google and Samsung implementing transit modes and Visa and Mastercard complying with regional regulations on high value contactless payments. We investigate these features and find that these parties have been independently retrofitting and overloading the core EMV specification. Subtle interactions and mismatches between the different companies' additions lead to a range of vulnerabilities, making it possible to bypass restrictions to smartphone only payments, make unauthenticated high value transactions offline, and use a cloned card to make a £25000 transaction offline. To find fixes, we build formal models of the EMV protocol with the new features we investigated and test different possible solutions. We have engaged with EMV stakeholders and worked with the company Square to implement these fixes.
| Original language | English |
|---|---|
| Title of host publication | USENIX Security '25 |
| Publisher | USENIX Association |
| Publication status | Accepted/In press - 31 Jan 2025 |
| Event | 34th USENIX Security Symposium - Seattle Convention Center, Seattle, United States Duration: 13 Aug 2025 → 15 Aug 2025 https://www.usenix.org/conference/usenixsecurity25 |
Publication series
| Name | USENIX Conference Proceedings |
|---|---|
| Publisher | USENIX Association |
| ISSN (Print) | 1049-5606 |
Conference
| Conference | 34th USENIX Security Symposium |
|---|---|
| Abbreviated title | USENIX Security '25 |
| Country/Territory | United States |
| City | Seattle |
| Period | 13/08/25 → 15/08/25 |
| Internet address |