contactless payment cards vulnerabilities attacks and
play

Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions - PowerPoint PPT Presentation

Aug 26, 2023 •445 likes •1.83k views

Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions Dr. Ricardo J. Rodr guez All wrongs reversed rjrodriguez@unizar.es @RicardoJRdez www.ricardojrodriguez.es Department of Computer Science and Systems Engineering

  1. NFC security threats Eavesdropping Secure communication as solution Data modification (i.e., alteration, insertion, or destruction) Feasible in theory (but requires quite advanced RF knowledge) Relays Forwarding of wireless communication R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 18 / 78

  2. NFC security threats Eavesdropping Secure communication as solution Data modification (i.e., alteration, insertion, or destruction) Feasible in theory (but requires quite advanced RF knowledge) Relays Forwarding of wireless communication Types: passive (just forwards); and active (forwards and alters the data) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 18 / 78

  3. NFC security threats Eavesdropping Secure communication as solution Data modification (i.e., alteration, insertion, or destruction) Feasible in theory (but requires quite advanced RF knowledge) Relays Forwarding of wireless communication Types: passive (just forwards); and active (forwards and alters the data) Herein, we focus on eavesdropping and relay threats R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 18 / 78

  4. ISO/IEC 14443 (I) Identification cards – Contactless integrated circuit cards – Proximity cards ISO/IEC 14443 standard Four-part international standard for contactless smartcards Size, physical characteristics, etc. 1 RF power and signalling schemes 2 (Type A & B) Half-duplex, 106 kbps rate Initialization + anticollision protocol 3 Data transmission protocol 4 IsoDep cards: compliant with the four parts Example: contactless payment cards R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 19 / 78

  5. ISO/IEC 14443 (II) ISO/IEC 7816 Fifteen-part international standard related to contacted integrated circuit cards, especially smartcards Application Protocol Data Units (APDUs) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 20 / 78

  6. ISO/IEC 14443 (II) ISO/IEC 7816 Fifteen-part international standard related to contacted integrated circuit cards, especially smartcards Application Protocol Data Units (APDUs) SELECT command: AID (App. ID, printed in the card) RID (Registered Application Provider Identifier): 5B PIX (Proprietary Identifier Extension): To distinguish apps R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 20 / 78

  7. ISO/IEC 14443 (III) Selection and anti-collision protocol (ISO 14443-3A) PCD PICC 1: REQA 1.1: ATQA loop [UID not complete] 2: SELECT 2.1: SAK opt [UID complete, PICC compliant to ISO/IEC 14443-4] ref ISO/IEC 14443-4 R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 21 / 78

  8. ISO/IEC 14443 (IV) Transmission protocol – preamble (ISO 14443-4) PCD PICC ref ISO/IEC 14443-3 1: RATS 1.1: ATS alt [PPS supported] opt [Parameter change] 2: PPS request 2.1: PPS response R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 22 / 78

  9. ISO/IEC 14443 (V) IsoDep cards: Compliant with 4 parts of the ISO/IEC 14443 But this is not a requirement. . . MIFARE Classic: Fulfills ISO/IEC 14443-1, ISO/IEC 14443-2 Some parts of ISO/IEC 14443-3 Own ISO/IEC 14443-4 protocol R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 23 / 78

  10. ISO/IEC 14443 (V) IsoDep cards: Compliant with 4 parts of the ISO/IEC 14443 But this is not a requirement. . . MIFARE Classic: Fulfills ISO/IEC 14443-1, ISO/IEC 14443-2 Some parts of ISO/IEC 14443-3 Own ISO/IEC 14443-4 protocol A note on MIFARE Classic. . . Nice example for security by obscurity problem Well known vulnerabilities (and documented) Most critical: low entropy of random number generation Replay attacks R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 23 / 78

  11. ISO/IEC 14443 (V) IsoDep cards: Compliant with 4 parts of the ISO/IEC 14443 But this is not a requirement. . . MIFARE Classic: Fulfills ISO/IEC 14443-1, ISO/IEC 14443-2 Some parts of ISO/IEC 14443-3 Own ISO/IEC 14443-4 protocol A note on MIFARE Classic. . . Nice example for security by obscurity problem Well known vulnerabilities (and documented) Most critical: low entropy of random number generation Replay attacks “Darkside” attack Nested attack R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 23 / 78

  12. ISO/IEC 14443 (V) IsoDep cards: Compliant with 4 parts of the ISO/IEC 14443 But this is not a requirement. . . MIFARE Classic: Fulfills ISO/IEC 14443-1, ISO/IEC 14443-2 Some parts of ISO/IEC 14443-3 Own ISO/IEC 14443-4 protocol A note on MIFARE Classic. . . Nice example for security by obscurity problem Well known vulnerabilities (and documented) Most critical: low entropy of random number generation Replay attacks “Darkside” attack Nested attack Recall: show video demo R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 23 / 78

  13. ISO/IEC 14443 (V) IsoDep cards: Compliant with 4 parts of the ISO/IEC 14443 But this is not a requirement. . . MIFARE Classic: Fulfills ISO/IEC 14443-1, ISO/IEC 14443-2 Some parts of ISO/IEC 14443-3 Own ISO/IEC 14443-4 protocol A note on MIFARE Classic. . . Nice example for security by obscurity problem Well known vulnerabilities (and documented) Most critical: low entropy of random number generation Replay attacks “Darkside” attack Nested attack Recall: show video demo MFCAB tool: http://www.bitbucket.org/rjrodriguez/mfcab R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 23 / 78

  14. ISO/IEC 14443 (VI) Optional selection of AID (ISO 14443-4) PCD PICC ref ISO/IEC 14443-4 opt [Explicit Select] 1: SELECT AID 1.1: success alt [Error] 2: ISO/IEC 14443-4 DESELECTION R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 24 / 78

  15. ISO/IEC 14443 (VIII) Examples MIFARE cards Calypso (electronic ticketing system) Biometric passports EMV payment cards (PayPass, payWave, ExpressPay) Spanish & German identity cards . . . R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 25 / 78

  16. Part II – EMV EMV Protocol 4 What is it? EMV Protocol Details Known Weaknesses R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 26 / 78

  17. EMV: What is it? (I) Europay, Mastercard, and VISA standard for inter-operation of IC cards, Point-of-Sale terminals, and automated teller machines R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 27 / 78

  18. EMV: What is it? (I) Europay, Mastercard, and VISA standard for inter-operation of IC cards, Point-of-Sale terminals, and automated teller machines Owners (with joining dates) (Sept 2013) (Feb 2009) (May 13) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 27 / 78

  19. EMV: What is it? (II) Standard initially written in 1993-1994 Different deployment dates (e.g., 2003 at UK) Required for Single Euro Payment Area (SEPA) Why? Tying to reduce fraud: Skimming Stolen credit cards with forged signatures Card-Not-Present (CNP) fraud Liability shift Merchant: when no EMV card is used Customer: when PIN is used R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 28 / 78

  20. EMV: What is it? (III) (taken from “Chip and PIN is broken” , S.J. Murdoch et al.; IEEE S&P 2010) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 29 / 78

  21. EMV Protocol Details (I) Since version 4.0. . . (June 2004) Standard specification distributed over 4 books ( ∼ 700 pp.) Book 1. Application Independent ICC to Terminal Interface Requirements Book 2. Security and Key Management Book 3. Application Specification Book 4. Cardholder, Attendant, and Acquirer Interface Requirements R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 30 / 78

  22. EMV Protocol Details (I) Since version 4.0. . . (June 2004) Standard specification distributed over 4 books ( ∼ 700 pp.) Book 1. Application Independent ICC to Terminal Interface Requirements Book 2. Security and Key Management Book 3. Application Specification Book 4. Cardholder, Attendant, and Acquirer Interface Requirements We haven’t finished yet! Four card authentication methods Six cardholder verification methods Two types of transactions R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 30 / 78

  23. EMV Protocol Details (I) Since version 4.0. . . (June 2004) Standard specification distributed over 4 books ( ∼ 700 pp.) Book 1. Application Independent ICC to Terminal Interface Requirements Book 2. Security and Key Management Book 3. Application Specification Book 4. Cardholder, Attendant, and Acquirer Interface Requirements We haven’t finished yet! Four card authentication methods Six cardholder verification methods Two types of transactions Everything customised using Data Object Lists (DOL) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 30 / 78

  24. EMV Protocol Details (I) Since version 4.0. . . (June 2004) Standard specification distributed over 4 books ( ∼ 700 pp.) Book 1. Application Independent ICC to Terminal Interface Requirements Book 2. Security and Key Management Book 3. Application Specification Book 4. Cardholder, Attendant, and Acquirer Interface Requirements We haven’t finished yet! Four card authentication methods Six cardholder verification methods Two types of transactions Everything customised using Data Object Lists (DOL) → Madness complexity! R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 30 / 78

  25. EMV Protocol Details (II) EMV actors Card Card bank issuer Point-of-Sale terminals R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 31 / 78

  26. EMV Protocol Details (III) Cryptography used Symmetric key (3DES) Between the card (derived key) and issuer/bank (master key) Authenticate transactions to bank R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 32 / 78

  27. EMV Protocol Details (III) Cryptography used Symmetric key (3DES) Between the card (derived key) and issuer/bank (master key) Authenticate transactions to bank Asymmetric keypair (RSA) Payment scheme: authenticate issuers Card Issuer: authenticate cards Cards: authenticate cards/transactions to terminal (optional) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 32 / 78

  28. EMV Protocol Details (III) Cryptography used Symmetric key (3DES) Between the card (derived key) and issuer/bank (master key) Authenticate transactions to bank Asymmetric keypair (RSA) Payment scheme: authenticate issuers Card Issuer: authenticate cards Cards: authenticate cards/transactions to terminal (optional) Cryptography setup Terminal Payment scheme’s public keys R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 32 / 78

  29. EMV Protocol Details (III) Cryptography used Symmetric key (3DES) Between the card (derived key) and issuer/bank (master key) Authenticate transactions to bank Asymmetric keypair (RSA) Payment scheme: authenticate issuers Card Issuer: authenticate cards Cards: authenticate cards/transactions to terminal (optional) Cryptography setup Terminal Payment scheme’s public keys Card Card issuer’s public key certificate, signed by payment scheme Card’s public key certificate, signed by card issuer R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 32 / 78

  30. EMV Protocol Details (IV) Based on ISO/IEC 7816 Application Protocol Data Units (APDUs) Command-response / master-slave protocol Command packets Response packets R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 33 / 78

  31. EMV Protocol Details (V) ISO/IEC 7816: command APDU CLA INS P1 P2 L c Data L e CLA : 1B. Instruction class; type of command (e.g., interindustry or proprietary) INS : 1B. Instruction code; specific command (e.g., “write data”) P1-P2 : 2B. Instruction command parameters (e.g., offset into file at which to write the data) L c : 0, 1 or 3B. Number ( N c ) of bytes of command data Data : N c B. Data L e : 0, 1 or 3B. Maximum number ( N e ) of response bytes R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 34 / 78

  32. EMV Protocol Details (VI) ISO/IEC 7816: response APDU Data SW1 SW2 Data : N r ( ≤ N e ) Response data SW1-SW2 : 2B. Response trailer. Command processing status (e.g., 0x9000 indicates successful operation) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 35 / 78

  33. EMV Protocol Details (VII) ISO/IEC 7816: verifying PIN > 00 20 00 80 08 24 12 34 FF FF FF FF FF Command detailed description 00 20 : VERIFY command 00 80 : Plaintext Personal Identification Number (PIN) 08 : Length data 24 12 34 FF FF FF FF FF : Data (yes, your PIN is there in plain text ¨ ⌣ ) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 36 / 78

  34. EMV Protocol Details (VII) ISO/IEC 7816: verifying PIN > 00 20 00 80 08 24 12 34 FF FF FF FF FF Command detailed description 00 20 : VERIFY command 00 80 : Plaintext Personal Identification Number (PIN) 08 : Length data 24 12 34 FF FF FF FF FF : Data (yes, your PIN is there in plain text ¨ ⌣ ) < 90 00 Response detailed description 90 00 : Command executed without error NOTE: card may reply with 69 85 to prevent brute force attacks R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 36 / 78

  35. EMV Protocol Details (VIII) Establishing a session to communicate Steps Initialization 1 Do you see that something is missing? R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 37 / 78

  36. EMV Protocol Details (VIII) Establishing a session to communicate Steps Initialization 1 Card authentication 2 Do you see that something is missing? R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 37 / 78

  37. EMV Protocol Details (VIII) Establishing a session to communicate Steps Initialization 1 Card authentication 2 Cardholder verification 3 Do you see that something is missing? R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 37 / 78

  38. EMV Protocol Details (VIII) Establishing a session to communicate Steps Initialization 1 Card authentication 2 Cardholder verification 3 Transaction 4 Do you see that something is missing? R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 37 / 78

  39. EMV Protocol Details (VIII) Establishing a session to communicate Steps Initialization 1 Card authentication 2 Cardholder verification 3 Transaction 4 Do you see that something is missing? R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 37 / 78

  40. EMV Protocol Details (VIII) Establishing a session to communicate Steps Initialization 1 Card authentication 2 Cardholder verification 3 Transaction 4 Do you see that something is missing? R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 37 / 78

  41. EMV Protocol Details (IX) File structure Master File (MF): top-most file One (or more) Application Definition Files (ADF) May be distributed in directories ADF selected using Application Identifier (AID) Registered application provider IDentifier (RID): 5B (issued by ISO/IEC 7816-5 RA) Proprietary application Identifier eXtension (PIX): differentiate among applications from the same RID AID is printed in receipts R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 38 / 78

  42. EMV Protocol Details (IX) File structure Master File (MF): top-most file One (or more) Application Definition Files (ADF) May be distributed in directories ADF selected using Application Identifier (AID) Registered application provider IDentifier (RID): 5B (issued by ISO/IEC 7816-5 RA) Proprietary application Identifier eXtension (PIX): differentiate among applications from the same RID AID is printed in receipts ADF divided in Application Elementary Files (EF) EF contains data Selection of EF thr. Short File Identifier (SFI) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 38 / 78

  43. EMV Protocol Details (X) Example of AIDs Card issuer RID Specific card PIX AID Visa credit or debit 1010 A0000000031010 Visa Electron 2010 A0000000032010 Visa A000000003 V PAY 2020 A0000000032020 Plus 8010 A0000000038010 MasterCard credit or debit 1010 A0000000041010 MasterCard 9999 A0000000049999 MasterCard A000000004 Maestro (debit card) 3060 A0000000043060 Cirrus (interbank network) 6000 A0000000046000 R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 39 / 78

  44. EMV Protocol Details (XI) Initialization (1) Processing Option Data Object List (PDOL): data to provide Terminal language, capabilities, country code, etc. Application Interchange Profile (AIP): data authentication methods Application File Locator (AFL) lists available files R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 40 / 78

  45. EMV Protocol Details (XII) Initialization (2) OK, let’s proceed with the transaction! R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 41 / 78

  46. EMV Protocol Details (XII) Initialization (2) OK, let’s proceed with the transaction! Online or offline transaction? → Card Authentication and Cardholder Verification Methods R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 41 / 78

  47. EMV Protocol Details (XIII) Card Authentication Methods (CAM) Online CAM Needs Internet (or phone) connection (obviously) Authentications done in issuer’s network R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 42 / 78

  48. EMV Protocol Details (XIII) Card Authentication Methods (CAM) Online CAM Needs Internet (or phone) connection (obviously) Authentications done in issuer’s network Offline CAM – based on RSA Terminal performs all authentication processes Two types Offline Static CAM: Static Authentication Data (SDA) Offline Dynamic CAM: Dynamic Authentication Data (DDA) Standard DDA Combined DDA/generate AC (also termed as CDA) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 42 / 78

  49. EMV Protocol Details (XIV) Cardholder Verification Method Method b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 Fail CVM processing X - 0 0 0 0 0 0 Plaintext PIN verification X - 0 0 0 0 0 1 Enciphered online PIN verification X - 0 0 0 0 1 0 Plaintext PIN verification and Signature verification X - 0 0 0 0 1 1 Enciphered offline PIN verification X - 0 0 0 1 0 0 Encipher PIN verification and Signature verification X - 0 0 0 1 0 1 Signature verification X - 0 1 1 1 1 0 No CVM needed X - 0 1 1 1 1 1 CVM list of rules R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 43 / 78

  50. EMV Protocol Details (XV) Transaction Application cryptograms Transaction Certificate (TC) Transaction approved Authorization Request Cryptogram (ARQC) Online authorization requested Application Authentication Cryptogram (AAC) Transaction declined R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 44 / 78

  51. EMV Protocol Details (XV) Transaction Application cryptograms Transaction Certificate (TC) Transaction approved Authorization Request Cryptogram (ARQC) Online authorization requested Application Authentication Cryptogram (AAC) Transaction declined Offline mode: GENERATE AC + TC (or AAC) Online mode: Terminal initiated: ARQC + ARQC (or AAC) Card initiated: TC + ARQC ARQC forwarded to bank issuer → ATC EXTERNAL AUTH (or second GENERATE AC) + TC (or AAC) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 44 / 78

  52. EMV Known Weaknesses (I) Skimming Magnetic stripe data also present on chip data R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 45 / 78

  53. EMV Known Weaknesses (I) Skimming Magnetic stripe data also present on chip data Cloning SDA cards Possible for offline transactions Only static data authenticated YES-card (accepts any PIN code) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 45 / 78

  54. EMV Known Weaknesses (I) Skimming Magnetic stripe data also present on chip data Cloning SDA cards Possible for offline transactions Only static data authenticated YES-card (accepts any PIN code) SDA no longer allowed for offline-enabled cards R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 45 / 78

  55. EMV Known Weaknesses (II) DDA Man-in-the-middle attack For offline transactions Authenticity of a transaction undetermined Transaction not connected to card authentication R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 46 / 78

  56. EMV Known Weaknesses (III) Murdoch et al., 2010 For offline and online transactions When card is not blocked When transaction without PIN are accepted MITM attack YES-card R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 47 / 78

  57. EMV Known Weaknesses (III) Murdoch et al., 2010 For offline and online transactions When card is not blocked When transaction without PIN are accepted MITM attack YES-card Barisani et al., 2011 Rollback attack Force CVM to plaintext PIN Online transaction in case of failed data authentication R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 47 / 78

  58. EMV Known Weaknesses (III) Murdoch et al., 2010 For offline and online transactions When card is not blocked When transaction without PIN are accepted MITM attack YES-card Barisani et al., 2011 Rollback attack Force CVM to plaintext PIN Online transaction in case of failed data authentication Bond et al., 2015 Preplay attack No POS terminal verification Nonce generated by an non-relying party And besides, with low entropy. . . R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 47 / 78

  59. Part III – EMV Contactless cards What? 5 EMV Contactless Protocol Details 6 Eavesdropping 7 Relay Attack 8 Attack Description Android and NFC: A Tale of L � ve Demo Experiment Threat Scenarios R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 48 / 78

  60. EMV contactless cards (I) Authenticating credit and debit card transactions Commands defined in ISO/IEC 7816-3 and ISO/IEC 7816-4 ( http://en.wikipedia.org/wiki/EMV ) Application ID (AID) command R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 49 / 78

  61. EMV contactless cards (II) MasterCard PayPass, VISA payWave, and AmericanExpress ExpressPay Are they secure? R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 50 / 78

  62. EMV contactless cards (II) MasterCard PayPass, VISA payWave, and AmericanExpress ExpressPay Are they secure? Amount limit on a single transaction Up to £20 GBP , 20 € , US$50, 50CHF , CAD$100, or AUD$100 R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 50 / 78

  63. EMV contactless cards (II) MasterCard PayPass, VISA payWave, and AmericanExpress ExpressPay Are they secure? Amount limit on a single transaction Up to £20 GBP , 20 € , US$50, 50CHF , CAD$100, or AUD$100 *cof, cof* ( http://www.bankinfosecurity.com/android-attack-exploits-visa-emv-flaw-a-7516/op-1 ) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 50 / 78

  64. EMV contactless cards (II) MasterCard PayPass, VISA payWave, and AmericanExpress ExpressPay Are they secure? Amount limit on a single transaction Up to £20 GBP , 20 € , US$50, 50CHF , CAD$100, or AUD$100 *cof, cof* ( http://www.bankinfosecurity.com/android-attack-exploits-visa-emv-flaw-a-7516/op-1 ) Sequential contactless payments limited – it asks for the PIN Protected by the same fraud guarantee as standard transactions (hopefully) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 50 / 78

  65. EMV Contactless Protocol Details (I) Standard specification distributed over 4 books Book A. Architecture and General Requirements Book B. Entry Point Book C. Kernel Specification Book D. Contactless Communication Protocol Different variants for book C (seven!) Based on ISO/IEC 14443 Recall the introduction ¨ ⌣ All EMV applications listed in “2PAY.SYS.DDF01” file R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 51 / 78

  66. EMV Contactless Protocol Details (II) MasterCard PayPass (1) Kernel 2 Two modes EMV mode Magnetic stripe mode R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 52 / 78

  67. EMV Contactless Protocol Details (III) MasterCard PayPass (2) EMV mode No DDA One application cryptogram for online transactions RECOVER AC command (to restore torn transactions) Data may be temporally stored on card (“scratch pad”) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 53 / 78

  68. EMV Contactless Protocol Details (IV) MasterCard PayPass (3) Mag-stripe mode Backward compatibility ( �� ) COMPUTE CRYPTOGRAPHIC CHECKSUM command: generate Card Verification Code (CVC3) Unpredictable number (UN) Application Transaction Number (ATC) Secret Key CVC3 + UN used to construct valid mag-stripe data R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 54 / 78

  69. EMV Contactless Protocol Details (IV) MasterCard PayPass (3) Mag-stripe mode Backward compatibility ( �� ) COMPUTE CRYPTOGRAPHIC CHECKSUM command: generate Card Verification Code (CVC3) Unpredictable number (UN) Application Transaction Number (ATC) Secret Key CVC3 + UN used to construct valid mag-stripe data Pre-play + rollback attack (Roland and Langer, 2013) UN length: 1 to 3 digits Fallback possible To mag-stripe mode To shorter UN R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 54 / 78

  70. EMV Contactless Protocol Details (V) VISA payWave (1) Kernel 1 and 3 Two modes EMV modes VSDC: original EMV + minor changes qVSDC: different from original EMV No offline plaintext PIN allowed R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 55 / 78

  71. EMV Contactless Protocol Details (VI) VISA payWave (2) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 56 / 78

  72. NFC Eavesdropping What data are being transmitted from my card? ( without any reader verification, it rocks! ) R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 57 / 78

  73. NFC Eavesdropping What data are being transmitted from my card? ( without any reader verification, it rocks! ) Primary Account Number (PAN) Recall: demo here Hw used: Proxmark3 + Google Nexus + NFC-capable MasterCard R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 57 / 78

  74. NFC Eavesdropping What data are being transmitted from my card? ( without any reader verification, it rocks! ) Primary Account Number (PAN) Name Recall: demo here Hw used: Proxmark3 + Google Nexus + NFC-capable MasterCard R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 57 / 78

  75. NFC Eavesdropping What data are being transmitted from my card? ( without any reader verification, it rocks! ) Primary Account Number (PAN) Name Expiration date Recall: demo here Hw used: Proxmark3 + Google Nexus + NFC-capable MasterCard R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 57 / 78

  76. NFC Eavesdropping What data are being transmitted from my card? ( without any reader verification, it rocks! ) Primary Account Number (PAN) Name Expiration date Transaction history Recall: demo here Hw used: Proxmark3 + Google Nexus + NFC-capable MasterCard R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 57 / 78

  77. NFC Eavesdropping What data are being transmitted from my card? ( without any reader verification, it rocks! ) Primary Account Number (PAN) Name Expiration date Transaction history Data from NFC plus chip payments. . . Recall: demo here Hw used: Proxmark3 + Google Nexus + NFC-capable MasterCard R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 57 / 78

  78. NFC Relay Attack Description (I) Relay attacks “On Numbers and Games”, J. H. Conway (1976) Mafia frauds – Y. Desmedt (SecuriCom’88) P −→ V ≪ communication link ≫ P −→ V Real-time fraud where a fraudulent prover P and verifier V cooperate R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 58 / 78

  79. NFC Relay Attack Description (I) Relay attacks “On Numbers and Games”, J. H. Conway (1976) Mafia frauds – Y. Desmedt (SecuriCom’88) P −→ V ≪ communication link ≫ P −→ V Real-time fraud where a fraudulent prover P and verifier V cooperate Honest prover and verifier: contactless card and Point-of-Sale terminal Dishonest prover and verifier: two NFC-enabled Android devices R. J. Rodr´ ıguez (UZ) Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions CyberCamp 2015 58 / 78

Recommend

NFC Payment Spy: A Privacy Attack on Contactless Payments Maryam Mehrnezhad , Mohammed Ali, Feng

NFC Payment Spy: A Privacy Attack on Contactless Payments Maryam Mehrnezhad , Mohammed Ali, Feng

NFC Payment Spy: A Privacy Attack on Contactless Payments Maryam Mehrnezhad , Mohammed Ali, Feng Hao, Aad van Moorsel Newcastle University, UK SSR, 5 Dec 2016 Contactless Payment Contactless Cards (theukcardsassociation.org.uk) In the

255 views • 21 slides
Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr

Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr

Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr guez Jos pvtolkien@gmail.com, rj.rodriguez@unileon.es All wrongs reversed Computer Science and Research Institute of Systems

1.23k views • 57 slides
CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom

CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom

CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom Chothia) Overview EMV Protocol Attacks EMV-Contactless Protocols Attacks Demo Stopping relay attacks What is

863 views • 60 slides
paying for e -Commerce would be as easy, secure and inexpensive as using contactless cards at

paying for e -Commerce would be as easy, secure and inexpensive as using contactless cards at

What if paying for e -Commerce would be as easy, secure and inexpensive as using contactless cards at point of sale? Presentation for CeBIH Risto Savolainen Founder CEO, iAxept Ltd THE PROBLEM: CARD NOT PRESENT E -COMMERCE PAYMENTS

682 views • 18 slides
Contactless Mobile Services February 2010 1 Introduction (1/2) The next generation of

Contactless Mobile Services February 2010 1 Introduction (1/2) The next generation of

Contactless Mobile Services February 2010 1 Introduction (1/2) The next generation of telephones will provide contactless services. Mobile usages Emulation of other smartcards NFC Technology Transport Transport Payment Payment

473 views • 26 slides
Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann

Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann

Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann 2 , Sebastian Stappert 2 , Markus Ullmann 1 , Matthias Vgeler 2 1 Bundesamt fr Sicherheit in der Informationstechnik 2 NXP Semiconductors Outline

174 views • 16 slides
Intellectual Property and Contactless Card Innovations ICMA North American Workshop

Intellectual Property and Contactless Card Innovations ICMA North American Workshop

Intellectual Property and Contactless Card Innovations ICMA North American Workshop September 30 - October 1, 2014 THE HOSPITALITY MARKET OVERVIEW 14.5 M hotel rooms &gt;750 M key cards/year issued with 100 M contactless

416 views • 19 slides
Contactless payment on Chiltern Railways research Define Research &amp; Insight Ltd, Colton House,

Contactless payment on Chiltern Railways research Define Research &amp; Insight Ltd, Colton House,

Contactless payment on Chiltern Railways research Define Research &amp; Insight Ltd, Colton House, Princes Avenue, London N3 2DB, T: 020 8346 7171, Fax: 020 8883 4111, www.defineinsight.co.uk VAT No 713 9062 46, Registered in England No. 3316024

682 views • 57 slides
Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

DAISY D ata A nalysis and I nformation S ecurit Y Lab Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to Audio-based Adversarial Attacks Yingying (Jennifer) Chen Professor, Electrical and Computer

1.05k views • 46 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Vulnerabilities in First- Generation RFID-Enabled Credit Cards Kevin Fu kevinfu@cs.umass.edu

Vulnerabilities in First- Generation RFID-Enabled Credit Cards Kevin Fu kevinfu@cs.umass.edu

Vulnerabilities in First- Generation RFID-Enabled Credit Cards Kevin Fu kevinfu@cs.umass.edu Berkeley TRUST Seminar Assistant Professor March 22, 2007 Department of Computer Science University of Massachusetts Amherst, USA

611 views • 33 slides
Vulnerabilities in First-Generation RFID-enabled Credit Cards Thomas S. Heydt-Benjamin 1 , Daniel

Vulnerabilities in First-Generation RFID-enabled Credit Cards Thomas S. Heydt-Benjamin 1 , Daniel

Vulnerabilities in First-Generation RFID-enabled Credit Cards Thomas S. Heydt-Benjamin 1 , Daniel V. Bailey 2 , Kevin Fu 1 , Ari Juels 2 , and Thomas O'Hare 3 1 University of Massachusetts Amherst Department of Computer Science 2 RSA Laboratories

186 views • 18 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Motivation n 802.11-based networks have flourished

389 views • 25 slides
WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre,

337 views • 22 slides
CARDS BROUGHT TO YOU BY Every payment type has pros and cons. When and how you use each type can

CARDS BROUGHT TO YOU BY Every payment type has pros and cons. When and how you use each type can

Comparing CARDS BROUGHT TO YOU BY Every payment type has pros and cons. When and how you use each type can make a huge impact on your personal fjnances. Meet YOUR CARDS DEBIT CREDIT PREPAID DEBIT Comparing Debit , Credit and Prepaid Debit

435 views • 17 slides
DDoS attacks on electronic payment systems Sean Rijs and Joris Claassen Supervisor: Stefan

DDoS attacks on electronic payment systems Sean Rijs and Joris Claassen Supervisor: Stefan

DDoS attacks on electronic payment systems Sean Rijs and Joris Claassen Supervisor: Stefan Duse Scope High volume DDoS attacks Electronic payment systems Low bandwidth requirements: 5 from account X to account Y 2 Research

321 views • 28 slides
Digital Payments STEP BY STEP INSTRUCTIONS FOR VARIOUS MODES OF PAYMENT: Cards, USSD, AEPS, UPI,

Digital Payments STEP BY STEP INSTRUCTIONS FOR VARIOUS MODES OF PAYMENT: Cards, USSD, AEPS, UPI,

Digital Payments STEP BY STEP INSTRUCTIONS FOR VARIOUS MODES OF PAYMENT: Cards, USSD, AEPS, UPI, Wallets Bank Cards Getting a Bank Card 2 1 HOW TO ISSUE A CARD FROM ACTIVATE YOUR CARD YOUR ACCOUNT At your Banks ATM by even

907 views • 32 slides
Leading ticketing to open source A challenge for Calypso Calypso, an Open and Secure Contactless

Leading ticketing to open source A challenge for Calypso Calypso, an Open and Secure Contactless

Leading ticketing to open source A challenge for Calypso Calypso, an Open and Secure Contactless Ticketing Standard Calypso deployement 125 cities &amp; regions 25 countries 150 million transportation smart cards 490 000 readers Challenges

287 views • 16 slides
Press and Media Kit July 2020 Wirex is a worldwide digital payment platform and regulated

Press and Media Kit July 2020 Wirex is a worldwide digital payment platform and regulated

Press and Media Kit July 2020 Wirex is a worldwide digital payment platform and regulated institution, that has forged new rules in the digital payments space. In 2015, the firm developed the worlds first contactless payment card that gives

330 views • 13 slides
Fast Privacy-Preserving Punch Cards Why go digital? Customer convenience No lost cards Better

Fast Privacy-Preserving Punch Cards Why go digital? Customer convenience No lost cards Better

Fast Privacy-Preserving Punch Cards Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit Contactless Why go digital? Customer convenience No lost cards Better bookkeeping Hard to Counterfeit

754 views • 48 slides
www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create

www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create

www.worldofinsights.co How to use the cards REFLECT CARDS Use as an ice-breaker to create dialogue on learning. RETHINK CARDS Use as a brainstorming tool to spark new ideas. ACT CARDS Use to transform insights into action. Licence to Dare

434 views • 24 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction

Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction

Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction to protocol security The context (I) credit cards contactless cards telephones online transactions cars, fridges,... Internet of

680 views • 11 slides

More recommend