Browse by author
Lookup NU author(s): Dr Martin Emms, Dr Leonardus Arief, Fei Hao, Professor Aad van Moorsel
Contactless / Near Field Communication (NFC) card payments are being introduced around the world, allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Although the terminal needs to be able to verify a PIN, it is not clear if such PIN verification features should be available on the NFC card itself. We show that contactless Visa payment cards have (largely redundant) functionality, Verify PIN, which makes them vulnerable to new forms of wireless attack. Based on careful examination of the Europay, MasterCard and Visa (EMV) protocol and experiments with the Visa fast Dynamic Data Authentication transaction protocol, we provide a set of building blocks for possible attacks. These building blocks are data skimming, Verify PIN and transaction relay, which we implement and experiment with. Based on these building blocks, we propose a number of realistic attacks, including a denial-of-service attack and a newly developed realistic PIN guessing attack. The conclusion of our work is that implementing Verify PIN functionality on NFC cards has no demonstrated benefits and opens up new avenues of attack.
Author(s): Emms M, Arief B, Defty T, Hannon J, Hao F, van Moorsel A
Publication type: Report
Publication status: Published
Series Title: School of Computing Science Technical Report Series
Year: 2012
Pages: 14
Print publication date: 01/05/2012
Source Publication Date: May 2012
Report Number: 1332
Institution: Newcastle University
Place Published: Newcastle upon Tyne
URL: http://www.cs.ncl.ac.uk/publications/trs/papers/1332.pdf