Lookup NU author(s): Dr Maryam Mehrnezhad,
Professor Feng Hao,
Professor Aad van Moorsel
Full text for this publication is not currently held within this repository. Alternative links are provided below where available.
In a contactless transaction, when more than one card is presented to the payment terminal's field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV's card collision algorithm, nor does it match the card collision procedure specified in ISO.Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user's privacy by collecting the user's payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66% when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.
Author(s): Mehrnezhad M, Ali MA, Hao F, van Moorsel A
Publication type: Conference Proceedings (inc. Abstract)
Publication status: Published
Conference Name: Security Standardisation Research, SSR 2016
Year of Conference: 2016
Print publication date: 01/01/2016
Online publication date: 02/11/2016
Acceptance date: 02/04/2016
Publisher: Springer International Publishing
Library holdings: Search Newcastle University Library for this item
Series Title: Lecture notes in computer science