Nfc payment spy: A privacy attack on contactless payments

Maryam Mehrnezhad; Mohammed Aamir Ali; Feng Hao; Aad van Moorsel

doi:10.1007/978-3-319-49100-4_4

Nfc payment spy: A privacy attack on contactless payments

Maryam Mehrnezhad^*
, Mohammed Aamir Ali
, Feng Hao
, Aad van Moorsel

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV’s card collision algorithm, nor does it match the card collision procedure specified in ISO. Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user’s privacy by collecting the user's payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66% when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.

Original language	English
Title of host publication	Security Standardisation Research - 3rd International Conference, SSR 2016, Proceedings
Editors	David McGrew, Chris Mitchell, Lidong Chen
Publisher	Springer Verlag
Pages	92-111
Number of pages	20
ISBN (Print)	9783319490991
DOIs	https://doi.org/10.1007/978-3-319-49100-4_4
Publication status	Published - 2016
Event	3rd International Conference on Security Standardisation Research, SSR 2016 - Gaithersburg, United States Duration: 5 Dec 2016 → 6 Dec 2016

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10074 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	3rd International Conference on Security Standardisation Research, SSR 2016
Country/Territory	United States
City	Gaithersburg
Period	5/12/16 → 6/12/16

Bibliographical note

Publisher Copyright:
© Springer International Publishing AG 2016.

Keywords

Card collision
Contactless payment
EMV
NFC payment
NFC phone
Privacy attack

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-319-49100-4_4

Cite this

Mehrnezhad, M., Ali, M. A., Hao, F., & van Moorsel, A. (2016). Nfc payment spy: A privacy attack on contactless payments. In D. McGrew, C. Mitchell, & L. Chen (Eds.), Security Standardisation Research - 3rd International Conference, SSR 2016, Proceedings (pp. 92-111). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10074 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-49100-4_4

Mehrnezhad, Maryam ; Ali, Mohammed Aamir ; Hao, Feng et al. / Nfc payment spy : A privacy attack on contactless payments. Security Standardisation Research - 3rd International Conference, SSR 2016, Proceedings. editor / David McGrew ; Chris Mitchell ; Lidong Chen. Springer Verlag, 2016. pp. 92-111 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{42621c16da07416cb2bca2d16282303a,

title = "Nfc payment spy: A privacy attack on contactless payments",

abstract = "In a contactless transaction, when more than one card is presented to the payment terminal{\textquoteright}s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV{\textquoteright}s card collision algorithm, nor does it match the card collision procedure specified in ISO. Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user{\textquoteright}s privacy by collecting the user's payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66\% when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.",

keywords = "Card collision, Contactless payment, EMV, NFC payment, NFC phone, Privacy attack",

author = "Maryam Mehrnezhad and Ali, \{Mohammed Aamir\} and Feng Hao and \{van Moorsel\}, Aad",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing AG 2016.; 3rd International Conference on Security Standardisation Research, SSR 2016 ; Conference date: 05-12-2016 Through 06-12-2016",

year = "2016",

doi = "10.1007/978-3-319-49100-4\_4",

language = "English",

isbn = "9783319490991",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "92--111",

editor = "David McGrew and Chris Mitchell and Lidong Chen",

booktitle = "Security Standardisation Research - 3rd International Conference, SSR 2016, Proceedings",

}

Mehrnezhad, M, Ali, MA, Hao, F & van Moorsel, A 2016, Nfc payment spy: A privacy attack on contactless payments. in D McGrew, C Mitchell & L Chen (eds), Security Standardisation Research - 3rd International Conference, SSR 2016, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10074 LNCS, Springer Verlag, pp. 92-111, 3rd International Conference on Security Standardisation Research, SSR 2016, Gaithersburg, United States, 5/12/16. https://doi.org/10.1007/978-3-319-49100-4_4

Nfc payment spy: A privacy attack on contactless payments. / Mehrnezhad, Maryam; Ali, Mohammed Aamir; Hao, Feng et al.
Security Standardisation Research - 3rd International Conference, SSR 2016, Proceedings. ed. / David McGrew; Chris Mitchell; Lidong Chen. Springer Verlag, 2016. p. 92-111 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10074 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Nfc payment spy

T2 - 3rd International Conference on Security Standardisation Research, SSR 2016

AU - Mehrnezhad, Maryam

AU - Ali, Mohammed Aamir

AU - Hao, Feng

AU - van Moorsel, Aad

N1 - Publisher Copyright: © Springer International Publishing AG 2016.

PY - 2016

Y1 - 2016

N2 - In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV’s card collision algorithm, nor does it match the card collision procedure specified in ISO. Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user’s privacy by collecting the user's payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66% when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.

AB - In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV’s card collision algorithm, nor does it match the card collision procedure specified in ISO. Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user’s privacy by collecting the user's payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66% when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.

KW - Card collision

KW - Contactless payment

KW - EMV

KW - NFC payment

KW - NFC phone

KW - Privacy attack

UR - https://www.scopus.com/pages/publications/85007079666

U2 - 10.1007/978-3-319-49100-4_4

DO - 10.1007/978-3-319-49100-4_4

M3 - Conference contribution

AN - SCOPUS:85007079666

SN - 9783319490991

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 92

EP - 111

BT - Security Standardisation Research - 3rd International Conference, SSR 2016, Proceedings

A2 - McGrew, David

A2 - Mitchell, Chris

A2 - Chen, Lidong

PB - Springer Verlag

Y2 - 5 December 2016 through 6 December 2016

ER -

Mehrnezhad M, Ali MA, Hao F, van Moorsel A. Nfc payment spy: A privacy attack on contactless payments. In McGrew D, Mitchell C, Chen L, editors, Security Standardisation Research - 3rd International Conference, SSR 2016, Proceedings. Springer Verlag. 2016. p. 92-111. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-49100-4_4

Nfc payment spy: A privacy attack on contactless payments

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this