Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards Without the PIN

Emms, Martin; Arief, Budi; Freitas, Leo; Hannon, J; Moorsel, Aad van

doi:10.1145/2660267.2660312

Cited by 22 publications

(17 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore the attacker will have more opportunities to perform the attack and it will be less clear for the user that anything is going on. That such attacks are possible using cheap hardware, namely mobile phones, has been demonstrated in, for example, [17,11,12,20].…”

Section: Introductionmentioning

confidence: 99%

Relay Cost Bounding for Contactless EMV Payments

Chothia

Garcia

Ruiter

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper looks at relay attacks against contactless payment cards, which could be used to wirelessly pickpocket money from victims. We discuss the two leading contactless EMV payment protocols (Visa's payWave and MasterCard's PayPass). Stopping a relay attack against cards using these protocols is hard: either the overhead of the communication is low compared to the (cryptographic) computation by the card or the messages can be cached before they are requested by the terminal. We propose a solution that fits within the EMV Contactless specification to make a payment protocol that is resistant to relay attacks from commercial off-the-shelf devices, such as mobile phones. This solution does not require significant changes to the cards and can easily be added to existing terminals. To prove that our protocol really does stop relay attacks, we develop a new method of automatically checking defences against relay attacks using the applied pi-calculus and the tool ProVerif.

show abstract

Section: Introductionmentioning

confidence: 99%

Relay Cost Bounding for Contactless EMV Payments

Chothia

Garcia

Ruiter

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…From the banking sector's point of view, this time limit will be reduced gradually to 400ms from 2016 onward [14,17,18]. For transport-related transactions, the performance requirements are stricter, where transaction times should not exceed 300ms [18,19].…”

Section: Operational Environmentmentioning

confidence: 99%

The Applicability of Ambient Sensors as Proximity Evidence for NFC Transactions

Shepherd¹,

Gurulian²,

Frank

et al. 2017

2017 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

Abstract-Near Field Communication (NFC) has enabled mobile phones to emulate contactless smart cards. Similar to contactless smart cards, they are also susceptible to relay attacks. To counter these, a number of methods have been proposed that rely primarily on ambient sensors as a proximity detection mechanism (also known as an anti-relay mechanism). In this paper, we empirically evaluate a comprehensive set of ambient sensors for their effectiveness as a proximity detection mechanism for NFC contactless-based applications like banking, transport and high-security access controls. We selected 17 sensors available via the Google Android platform. Each sensor, where feasible, was used to record the measurements of 1,000 contactless transactions at four different physical locations. A total of 252 users, a random sample from the university student population, were involved during the field trials. After careful analysis, we conclude that no single evaluated mobile ambient sensor is suitable for proximity detection in NFC-based contactless applications in realistic deployment scenarios. Lastly, we identify a number of potential avenues that may improve their effectiveness.

show abstract

“…In principle, payment protocols are designed to be secure, with adequate and effective cryptographic methods employed to ensure confidentiality, integrity, authentication, identification, etc. In practice, relevant attacks [9,17,19,18] still occur in the industry, with financial fraud related to payment systems rising in the last few years: for example, in the UK, there has been a 80 percent increase in value of losses between 2011 and 2016, when the fraud losses were £618 million [24].…”

Section: Introductionmentioning

confidence: 99%

“…The discovery in [39] allows attackers to buy goods from retailers, whereas the discovery in [9] allows attackers to extract money from the victim's account. Relay attacks [17,18] allow fraudulent transactions to be collected from contactless cards without the knowledge of the cardholder. In the area of formal methods, the first comprehensive formal description of EMV [15] used an F# model translated to Applied-pi [6], in order to make it amenable for analysis with the ProVerif verifier [7].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Methodology for Protocol Verification Applied to EMV® 1

Freitas

Modesti

Emms

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The EMVCo 3 organisation (i.e. MasterCard, Visa, etc.) protocols facilitate worldwide interoperability of secure electronic payments. Despite recent advances, it has proved difficult for academia to provide an acceptable solution to construction of secure applications within industry's constraints. In this paper, we describe a methodology we have applied to EMV1. It involves domain specific languages and verification tools targeting different analysis of interest. We are currently collaborating with EMVCo on their upcoming EMV R 2 nd Generation (EMV2) specifications.

show abstract

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards Without the PIN

Cited by 22 publications

References 4 publications

Relay Cost Bounding for Contactless EMV Payments

Relay Cost Bounding for Contactless EMV Payments

The Applicability of Ambient Sensors as Proximity Evidence for NFC Transactions

A Methodology for Protocol Verification Applied to EMV® 1

Contact Info

Product

Resources

About