• Card number, expiration, bank name, and used iCVV can be obtained Eavesdropping Eavesdropping • A third party captures sensitive information sent between Point of Sale and Credit Card Photo of eavesdropper from Flicker Contactless Credit Cards Credit Card Attacks 19 / 45
• Card number, expiration, bank name, and used iCVV can be obtained Eavesdropping Eavesdropping • A third party captures sensitive information sent between Point of Sale and Credit Card Photo of eavesdropper from Flicker Contactless Credit Cards Credit Card Attacks 19 / 45
Eavesdropping Eavesdropping • A third party captures sensitive information sent between Point of Sale and Credit Card • Card number, expiration, bank name, and used iCVV can be obtained Photo of eavesdropper from Flicker Contactless Credit Cards Credit Card Attacks 19 / 45
• A small antenna could easily be concealed near a terminal Eavesdropping The eavesdropping attack is feasible, requiring only an inex- pensive tag and radio Contactless Credit Cards Credit Card Attacks 20 / 45
Eavesdropping The eavesdropping attack is feasible, requiring only an inex- pensive tag and radio • A small antenna could easily be concealed near a terminal Contactless Credit Cards Credit Card Attacks 20 / 45
• An unused iCVV can be skimmed from the card • Then, a fraudulent purchase can occur at a real point of sale • In a relay attack, two devices execute the skimming attack in concert Skimming & Relay Attacks The attacker masquerades as a card reader Contactless Credit Cards Credit Card Attacks 21 / 45
• An unused iCVV can be skimmed from the card • Then, a fraudulent purchase can occur at a real point of sale • In a relay attack, two devices execute the skimming attack in concert Skimming & Relay Attacks The attacker masquerades as a card reader Contactless Credit Cards Credit Card Attacks 21 / 45
• Then, a fraudulent purchase can occur at a real point of sale • In a relay attack, two devices execute the skimming attack in concert Skimming & Relay Attacks The attacker masquerades as a card reader • An unused iCVV can be skimmed from the card Contactless Credit Cards Credit Card Attacks 21 / 45
• In a relay attack, two devices execute the skimming attack in concert Skimming & Relay Attacks The attacker masquerades as a card reader • An unused iCVV can be skimmed from the card • Then, a fraudulent purchase can occur at a real point of sale Contactless Credit Cards Credit Card Attacks 21 / 45
Skimming & Relay Attacks The attacker masquerades as a card reader • An unused iCVV can be skimmed from the card • Then, a fraudulent purchase can occur at a real point of sale • In a relay attack, two devices execute the skimming attack in concert Contactless Credit Cards Credit Card Attacks 21 / 45
Proposed Secure Credit Protocol A credit card protocol restructured Contactless Credit Cards Proposed Secure Credit Card Protocol 22 / 45
Proposed Secure Credit Protocol Solicitation • Point of Sale now sends a challenge Contactless Credit Cards Proposed Secure Credit Card Protocol 22 / 45
Proposed Secure Credit Protocol Restructured Card Information A UUID , a static Universally Unique Identifjer is used to identify the credit card. B H(card info, ch, iCVV ) is a hash-like function used to authenticate the card’s identity. C bank name is used to route the charge request. Contactless Credit Cards Proposed Secure Credit Card Protocol 22 / 45
Proposed Secure Credit Protocol Charge request • Card information is sent to the indicated bank Authorization • Bank verifjes transaction Contactless Credit Cards Proposed Secure Credit Card Protocol 22 / 45
Hash-like function H Requirements of H 1 Output appears random Output cannot be used to derive components 2 So that attackers cannot • Glean useful information • Build a new hash output using the components and a new challenge Contactless Credit Cards Proposed Secure Credit Card Protocol 23 / 45
Hash-like function H Requirements of H 1 Output appears random Output cannot be used to derive components 2 Contactless Credit Cards Proposed Secure Credit Card Protocol 23 / 45
Hash-like function H Requirements of H 1 Output appears random Output cannot be used to derive components 2 Contactless Credit Cards Proposed Secure Credit Card Protocol 23 / 45
NFC and Mass Transit Ticketing Background Contactless Credit Cards NFC and Mass Transit Ticketing Ticketing Protocols Viability of Mobile Ticketing EnGarde: Physical NFC Security Conclusion NFC and Mass Transit Ticketing 24 / 45
• Three Nokia reseachers investigate NFC phone based ticketing • Tamrakar, Ekberg, and Asokan’s [2] work is the focus of this section • Their goal is to build a secure ticketing scheme while keeping transaction time below the 300ms industry standard NFC and Mass Transit Ticketing NFC and Mass Transit Ticketing • Presently, contactless cards widely used for mass transit ticketing NFC and Mass Transit Ticketing 25 / 45
• Tamrakar, Ekberg, and Asokan’s [2] work is the focus of this section • Their goal is to build a secure ticketing scheme while keeping transaction time below the 300ms industry standard NFC and Mass Transit Ticketing NFC and Mass Transit Ticketing • Presently, contactless cards widely used for mass transit ticketing • Three Nokia reseachers investigate NFC phone based ticketing NFC and Mass Transit Ticketing 25 / 45
• Their goal is to build a secure ticketing scheme while keeping transaction time below the 300ms industry standard NFC and Mass Transit Ticketing NFC and Mass Transit Ticketing • Presently, contactless cards widely used for mass transit ticketing • Three Nokia reseachers investigate NFC phone based ticketing • Tamrakar, Ekberg, and Asokan’s [2] work is the focus of this section NFC and Mass Transit Ticketing 25 / 45
NFC and Mass Transit Ticketing NFC and Mass Transit Ticketing • Presently, contactless cards widely used for mass transit ticketing • Three Nokia reseachers investigate NFC phone based ticketing • Tamrakar, Ekberg, and Asokan’s [2] work is the focus of this section • Their goal is to build a secure ticketing scheme while keeping transaction time below the 300ms industry standard NFC and Mass Transit Ticketing 25 / 45
Proposed Ticketing Protocol NFC and Mass Transit Ticketing Ticketing Protocols 26 / 45
Proposed Ticketing Protocol NFC and Mass Transit Ticketing Ticketing Protocols 26 / 45
Proposed Ticketing Protocol NFC and Mass Transit Ticketing Ticketing Protocols 26 / 45
Proposed Ticketing Protocol NFC and Mass Transit Ticketing Ticketing Protocols 26 / 45
Proposed Ticketing Protocol NFC and Mass Transit Ticketing Ticketing Protocols 26 / 45
Proposed Ticketing Protocol NFC and Mass Transit Ticketing Ticketing Protocols 26 / 45
Proposed Ticketing Protocol NFC and Mass Transit Ticketing Ticketing Protocols 26 / 45
Proposed Ticketing Protocol NFC and Mass Transit Ticketing Ticketing Protocols 26 / 45
Proposed Ticketing Protocol NFC and Mass Transit Ticketing Ticketing Protocols 26 / 45
• Switching from a signature to a MAC ( message authentication code ) substantially reduces overhead Use tokens instead of certifjcates • Send a small token that the reader can validate • For security, the token should be refreshed often Protocol Variant 1 Use a lighter authentication method NFC and Mass Transit Ticketing Ticketing Protocols 27 / 45
Use tokens instead of certifjcates • Send a small token that the reader can validate • For security, the token should be refreshed often Protocol Variant 1 Use a lighter authentication method • Switching from a signature to a MAC ( message authentication code ) substantially reduces overhead NFC and Mass Transit Ticketing Ticketing Protocols 27 / 45
• Send a small token that the reader can validate • For security, the token should be refreshed often Protocol Variant 1 Use a lighter authentication method • Switching from a signature to a MAC ( message authentication code ) substantially reduces overhead Use tokens instead of certifjcates NFC and Mass Transit Ticketing Ticketing Protocols 27 / 45
Protocol Variant 1 Use a lighter authentication method • Switching from a signature to a MAC ( message authentication code ) substantially reduces overhead Use tokens instead of certifjcates • Send a small token that the reader can validate • For security, the token should be refreshed often NFC and Mass Transit Ticketing Ticketing Protocols 27 / 45
Protocol Variant 1 NFC and Mass Transit Ticketing Ticketing Protocols 28 / 45
Protocol Variant 1 NFC and Mass Transit Ticketing Ticketing Protocols 28 / 45
Protocol Variant 1 NFC and Mass Transit Ticketing Ticketing Protocols 28 / 45
• This is implemented using a reverse hash chain Protocol Variant 2 Use small, timely tokens AND a long-term certifjcate NFC and Mass Transit Ticketing Ticketing Protocols 29 / 45
Protocol Variant 2 Use small, timely tokens AND a long-term certifjcate • This is implemented using a reverse hash chain NFC and Mass Transit Ticketing Ticketing Protocols 29 / 45
• NFC transfer speeds were the biggest bottleneck • The authors noted that smaller two key sizes have been deprecated in the payment industry • The industry recommended transaction time is 300ms. After taking this into account, only two options are viable Viability of Mobile Ticketing Viability of Proposed Protocols Encryption Key Size Standard Variant 1 Variant 2 1024 bits 296 ms 164 ms 182 ms 1152 bits 314 ms 172 ms 190 ms 2048 bits 482 ms 228 ms 246 ms NFC and Mass Transit Ticketing Viability of Mobile Ticketing 30 / 45
• The authors noted that smaller two key sizes have been deprecated in the payment industry • The industry recommended transaction time is 300ms. After taking this into account, only two options are viable Viability of Mobile Ticketing Viability of Proposed Protocols Encryption Key Size Standard Variant 1 Variant 2 1024 bits 296 ms 164 ms 182 ms 1152 bits 314 ms 172 ms 190 ms 2048 bits 482 ms 228 ms 246 ms • NFC transfer speeds were the biggest bottleneck NFC and Mass Transit Ticketing Viability of Mobile Ticketing 30 / 45
• The industry recommended transaction time is 300ms. After taking this into account, only two options are viable Viability of Mobile Ticketing Viability of Proposed Protocols Encryption Key Size Standard Variant 1 Variant 2 1024 bits 296 ms 164 ms 182 ms 1152 bits 314 ms 172 ms 190 ms 2048 bits 482 ms 228 ms 246 ms • NFC transfer speeds were the biggest bottleneck • The authors noted that smaller two key sizes have been deprecated in the payment industry NFC and Mass Transit Ticketing Viability of Mobile Ticketing 30 / 45
• The industry recommended transaction time is 300ms. After taking this into account, only two options are viable Viability of Mobile Ticketing Viability of Proposed Protocols Encryption Key Size Standard Variant 1 Variant 2 1024 bits 296 ms 164 ms 182 ms 1152 bits 314 ms 172 ms 190 ms 2048 bits 482 ms 228 ms 246 ms • NFC transfer speeds were the biggest bottleneck • The authors noted that smaller two key sizes have been deprecated in the payment industry NFC and Mass Transit Ticketing Viability of Mobile Ticketing 30 / 45
Viability of Mobile Ticketing Viability of Proposed Protocols Encryption Key Size Standard Variant 1 Variant 2 1024 bits 296 ms 164 ms 182 ms 1152 bits 314 ms 172 ms 190 ms 2048 bits 482 ms 228 ms 246 ms • NFC transfer speeds were the biggest bottleneck • The authors noted that smaller two key sizes have been deprecated in the payment industry • The industry recommended transaction time is 300ms. After taking this into account, only two options are viable NFC and Mass Transit Ticketing Viability of Mobile Ticketing 30 / 45
Viability of Mobile Ticketing Viability of Proposed Protocols Encryption Key Size Standard Variant 1 Variant 2 1024 bits 296 ms 164 ms 182 ms 1152 bits 314 ms 172 ms 190 ms 2048 bits 482 ms 228 ms 246 ms • NFC transfer speeds were the biggest bottleneck • The authors noted that smaller two key sizes have been deprecated in the payment industry • The industry recommended transaction time is 300ms. After taking this into account, only two options are viable NFC and Mass Transit Ticketing Viability of Mobile Ticketing 30 / 45
• The Nokia researchers grant that relay attacks are possible in all protocols, but that there is a short opportunity windows and low monetary gain • The researchers state that these protocols are meets performance and security needs better than the current contactless card system • While mobile ticketing is an imperfect, it is valid path forward that ofgers value Viability of Mobile Ticketing Viability of Mobile Ticketing • Using mobile ticketing ofgers convince and a richer user interface NFC and Mass Transit Ticketing Viability of Mobile Ticketing 31 / 45
• The researchers state that these protocols are meets performance and security needs better than the current contactless card system • While mobile ticketing is an imperfect, it is valid path forward that ofgers value Viability of Mobile Ticketing Viability of Mobile Ticketing • Using mobile ticketing ofgers convince and a richer user interface • The Nokia researchers grant that relay attacks are possible in all protocols, but that there is a short opportunity windows and low monetary gain NFC and Mass Transit Ticketing Viability of Mobile Ticketing 31 / 45
• While mobile ticketing is an imperfect, it is valid path forward that ofgers value Viability of Mobile Ticketing Viability of Mobile Ticketing • Using mobile ticketing ofgers convince and a richer user interface • The Nokia researchers grant that relay attacks are possible in all protocols, but that there is a short opportunity windows and low monetary gain • The researchers state that these protocols are meets performance and security needs better than the current contactless card system NFC and Mass Transit Ticketing Viability of Mobile Ticketing 31 / 45
Viability of Mobile Ticketing Viability of Mobile Ticketing • Using mobile ticketing ofgers convince and a richer user interface • The Nokia researchers grant that relay attacks are possible in all protocols, but that there is a short opportunity windows and low monetary gain • The researchers state that these protocols are meets performance and security needs better than the current contactless card system • While mobile ticketing is an imperfect, it is valid path forward that ofgers value NFC and Mass Transit Ticketing Viability of Mobile Ticketing 31 / 45
EnGarde: Physical NFC Security Background Contactless Credit Cards NFC and Mass Transit Ticketing EnGarde: Physical NFC Security The Engarde Protoype NFC Decoding and Jamming Experimental Evaluation Conclusion EnGarde: Physical NFC Security 32 / 45
• As a result, there may be new risks in both payment and non-payment applications of NFC • EnGarde is a semi-permanent phone attachment, designed to act as a hardware-based fjrewall • Gummeson et al’s [3] work on the EnGarde prototype is the focus of this section EnGarde: Physical NFC Security EnGarde: Physical NFC Security • Commercial payments systems are bringing NFC to phones EnGarde: Physical NFC Security 33 / 45
• EnGarde is a semi-permanent phone attachment, designed to act as a hardware-based fjrewall • Gummeson et al’s [3] work on the EnGarde prototype is the focus of this section EnGarde: Physical NFC Security EnGarde: Physical NFC Security • Commercial payments systems are bringing NFC to phones • As a result, there may be new risks in both payment and non-payment applications of NFC EnGarde: Physical NFC Security 33 / 45
• Gummeson et al’s [3] work on the EnGarde prototype is the focus of this section EnGarde: Physical NFC Security EnGarde: Physical NFC Security • Commercial payments systems are bringing NFC to phones • As a result, there may be new risks in both payment and non-payment applications of NFC • EnGarde is a semi-permanent phone attachment, designed to act as a hardware-based fjrewall EnGarde: Physical NFC Security 33 / 45
EnGarde: Physical NFC Security EnGarde: Physical NFC Security • Commercial payments systems are bringing NFC to phones • As a result, there may be new risks in both payment and non-payment applications of NFC • EnGarde is a semi-permanent phone attachment, designed to act as a hardware-based fjrewall • Gummeson et al’s [3] work on the EnGarde prototype is the focus of this section EnGarde: Physical NFC Security 33 / 45
EnGarde Prototype Features • Small form factor for semi-permanent mounting to a mobile phone • Independent battery, memory, and processor from phone • Software can be updated to combat current and future threats EnGarde Prototype EnGarde: Physical NFC Security The Engarde Protoype 34 / 45
• Small form factor for semi-permanent mounting to a mobile phone • Independent battery, memory, and processor from phone • Software can be updated to combat current and future threats EnGarde Prototype EnGarde Prototype Features EnGarde: Physical NFC Security The Engarde Protoype 34 / 45
• Independent battery, memory, and processor from phone • Software can be updated to combat current and future threats EnGarde Prototype EnGarde Prototype Features • Small form factor for semi-permanent mounting to a mobile phone EnGarde: Physical NFC Security The Engarde Protoype 34 / 45
• Software can be updated to combat current and future threats EnGarde Prototype EnGarde Prototype Features • Small form factor for semi-permanent mounting to a mobile phone • Independent battery, memory, and processor from phone EnGarde: Physical NFC Security The Engarde Protoype 34 / 45
EnGarde Prototype EnGarde Prototype Features • Small form factor for semi-permanent mounting to a mobile phone • Independent battery, memory, and processor from phone • Software can be updated to combat current and future threats EnGarde: Physical NFC Security The Engarde Protoype 34 / 45
EnGarde Expectations EnGarde should defend against all NFC modes • Malicious tags • Malicious readers • Malicious peers • Malicious software installations EnGarde: Physical NFC Security The Engarde Protoype 35 / 45
NFC Decoding and Jamming How does EnGarde detect and stop unwanted transmissions? EnGarde: Physical NFC Security NFC Decoding and Jamming 36 / 45
NFC Decoding and Jamming How does EnGarde detect and stop unwanted transmissions? EnGarde: Physical NFC Security NFC Decoding and Jamming 36 / 45
Recommend
More recommend