Abstract
It is possible to relay signals between a contactless EMV card and a shop’s EMV reader and so make a fraudulent payment without the card-owner’s knowledge. Existing countermeasures rely on proximity checking: the reader will measure round trip times in message-exchanges, and rejects replies that take longer than expected (which suggests they have been relayed). However, it is the reader that would receive the illicit payment from any relayed transaction, so a rogue reader has little incentive to enforce the required checks. Furthermore, cases of malware targeting point-of-sales systems are common.We propose three novel proximity-checking protocols that use a trusted platform module (TPM) to ensure that the reader performs the time measurements correctly. After running one of our proposed protocols, the bank can be sure that the card and reader were in close proximity, even if the reader tries to subvert the protocol. Our first protocol makes changes to the cards and readers, our second protocol modifies the readers and the banking backend, and our third protocol allows the detection of relay attacks, after they have happened, with only changes to the readers.
Original language | English |
---|---|
Title of host publication | Proceedings of the 23rd International Conference on Financial Cryptography and Data Security (FC'19) |
Number of pages | 10 |
Publication status | Published - 22 Feb 2019 |
Event | 23rd International Conference on Financial Cryptography and Data Security (FC'19) - St. Kitts, Saint Kitts and Nevis Duration: 18 Feb 2019 → 22 Feb 2019 |
Conference
Conference | 23rd International Conference on Financial Cryptography and Data Security (FC'19) |
---|---|
Country/Territory | Saint Kitts and Nevis |
City | St. Kitts |
Period | 18/02/19 → 22/02/19 |