Abstract. The Unifying Theories of Programming (UTP) is a mathematical framework to define, examine and link program semantics for a large variety of computational paradigms. Several mechanisations of the UTP in HOL theorem provers have been developed. All of them, however, succumb to a trade off in how they encode the value model of UTP theories. A deep and unified value model via a universal (data)type incurs restrictions on permissible value types and adds complexity; a value model directly instantiating HOL types for UTP values retains simplicity, but sacrifices expressiveness, since we lose the ability to compositionally reason about alphabets and theories. We here propose an alternative solution that axiomatises the value model and retains the advantages of both approaches. We carefully craft a definitional mechanism in the Isabelle/HOL prover that guarantees soundness.
In this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder's PIN when the transaction is carried out in a foreign currency. For example, we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder's PIN, this side-steps the £20 contactless transaction limit in the UK. This paper outlines our analysis methodology that identified the flaw in the EMV protocol, and presents a scenario in which fraudulent transaction details are transmitted over the Internet to a "rogue merchant" who then uses the transaction data to take money from the victim's account. In reality, the criminals would choose a value between €100 and €200, which is low enough to be within the victim's balance and not to raise suspicion, but high enough to make each attack worthwhile. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.