Abstract
Relay attackers can forward messages between a contactless EMV bank card and a shop reader, making it possible to wirelessly pickpocket money. To protect against this, Apple Pay requires a user's fingerprint or Face ID to authorise payments, while Mastercard and Visa have proposed protocols to stop such relay attacks. We investigate transport payment modes and find that we can build on relaying to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone to any EMV reader, for any amount, without user authorisation. We show that Visa's proposed relay-countermeasure can be bypassed using rooted smart phones. We analyse Mastercard's relay protection, and show that its timing bounds could be more reliably imposed at the ISO 14443 protocol level, rather than at the EMV protocol level. With these insights, we propose a new relay-resistance protocol (L1RP) for EMV. We use the Tamarin prover to model mobile-phone payments with and without user authentication, and in different payment modes. We formally verify solutions to our attack suggested by Apple and Visa, and used by Samsung, and we verify that our proposed protocol provides protection from relay attacks.
Original language | English |
---|---|
Title of host publication | Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022 |
Publisher | Institute of Electrical and Electronics Engineers (IEEE) |
Pages | 1737-1756 |
Number of pages | 20 |
ISBN (Electronic) | 9781665413169 |
ISBN (Print) | 9781665413176 (PoD) |
DOIs | |
Publication status | Published - 27 Jul 2022 |
Event | 43rd IEEE Symposium on Security and Privacy, SP 2022 - San Francisco, United States Duration: 23 May 2022 → 26 May 2022 |
Publication series
Name | Proceedings - IEEE Symposium on Security and Privacy |
---|---|
Publisher | IEEE |
ISSN (Print) | 1081-6011 |
ISSN (Electronic) | 2375-1207 |
Conference
Conference | 43rd IEEE Symposium on Security and Privacy, SP 2022 |
---|---|
Country/Territory | United States |
City | San Francisco |
Period | 23/05/22 → 26/05/22 |
Bibliographical note
Funding Information:This work is part of the "TimeTrust" project, funded the UK s National Cyber Security Centre (NCSC). We thank Mastercard UK and Visa Research for providing useful insights and feedback.
Publisher Copyright:
© 2022 IEEE.
Keywords
- Privacy
- Protocols
- Protective relaying
- Authentication
- Credit cards
- Timing
- Security
ASJC Scopus subject areas
- Safety, Risk, Reliability and Quality
- Software
- Computer Networks and Communications