Abstract
It is possible to relay signals between a contactless EMV card and a shop’s EMV reader and so make a fraudulent payment without the card-owner’s knowledge. Existing countermeasures rely on proximity checking: the reader will measure round trip times in message-exchanges, and will reject replies that take longer than expected (which suggests they have been relayed). However, it is the reader that would receive the illicit payment from any relayed transaction, so a rogue reader has little incentive to enforce the required checks. Furthermore, cases of malware targeting point-of-sales systems are common. We propose three novel proximity-checking protocols that use a trusted platform module (TPM) to ensure that the reader performs the time-measurements correctly. After running one of our proposed protocols, the bank can be sure that the card and reader were in close proximity, even if the reader tries to subvert the protocol. Our first protocol makes changes to the cards and readers, our second modifies the readers and the banking backend, and our third allows the detection of relay attacks, after they have happened, with only changes to the readers.
Original language | English |
---|---|
Title of host publication | Financial Cryptography and Data Security |
Subtitle of host publication | 23rd International Conference, FC 2019, Revised Selected Papers |
Editors | Ian Goldberg, Tyler Moore |
Publisher | Springer |
Pages | 222-233 |
Number of pages | 12 |
ISBN (Electronic) | 9783030321017 |
ISBN (Print) | 9783030321000 |
DOIs | |
Publication status | Published - 30 Sept 2019 |
Event | 23rd International Conference on Financial Cryptography and Data Security, FC 2019 - St. Kitts, Saint Kitts and Nevis Duration: 18 Feb 2019 → 22 Feb 2019 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 11598 |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | 23rd International Conference on Financial Cryptography and Data Security, FC 2019 |
---|---|
Country/Territory | Saint Kitts and Nevis |
City | St. Kitts |
Period | 18/02/19 → 22/02/19 |
Bibliographical note
Funding Information:Acknowledgments. The authors acknowledge the support of the NCSC-funded “TimeTrust” project. The authors also thank all anonymous reviewers, as well as Urs Hengartner for helpful comments. Also, Ioana Boureanu thanks Anda Anda for interesting discussions on this topic.
Publisher Copyright:
© 2019, International Financial Cryptography Association.
ASJC Scopus subject areas
- Theoretical Computer Science
- General Computer Science