Risks of Offline Verify PIN on Contactless Cards

Emms, Martin; Arief, Budi; Little, Nicholas; Moorsel, Aad P. A. van

doi:10.1007/978-3-642-39884-1_26

Cited by 16 publications

(11 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, successful relay attacks on payWave have been reported in, for example, [11]. Their average time for a relayed transaction is 1.6s, which is an overhead of about 1.1s compared to a regular transaction.…”

Section: Relay Attacks Against Emv Contactless Smart Cardsmentioning

confidence: 99%

See 1 more Smart Citation

Relay Cost Bounding for Contactless EMV Payments

Chothia

Garcia

Ruiter

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper looks at relay attacks against contactless payment cards, which could be used to wirelessly pickpocket money from victims. We discuss the two leading contactless EMV payment protocols (Visa's payWave and MasterCard's PayPass). Stopping a relay attack against cards using these protocols is hard: either the overhead of the communication is low compared to the (cryptographic) computation by the card or the messages can be cached before they are requested by the terminal. We propose a solution that fits within the EMV Contactless specification to make a payment protocol that is resistant to relay attacks from commercial off-the-shelf devices, such as mobile phones. This solution does not require significant changes to the cards and can easily be added to existing terminals. To prove that our protocol really does stop relay attacks, we develop a new method of automatically checking defences against relay attacks using the applied pi-calculus and the tool ProVerif.

show abstract

Section: Relay Attacks Against Emv Contactless Smart Cardsmentioning

confidence: 99%

“…Therefore the attacker will have more opportunities to perform the attack and it will be less clear for the user that anything is going on. That such attacks are possible using cheap hardware, namely mobile phones, has been demonstrated in, for example, [17,11,12,20].…”

Section: Introductionmentioning

confidence: 99%

Relay Cost Bounding for Contactless EMV Payments

Chothia

Garcia

Ruiter

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…This has proved to be effective in both documenting decisions precisely [20,21,25], and detecting significant protocol flaws early in the development process [19,18], way before deployment or actual implementations. Specifically, it is a variation of a successful industry approach by Praxis (now Altran UK, see www.adacore.com/sparkpro/tokeneer), where formal specifications are used to clarify requirements and then later used to inform its design and implementations.…”

Section: Methodsmentioning

confidence: 99%

“…In principle, payment protocols are designed to be secure, with adequate and effective cryptographic methods employed to ensure confidentiality, integrity, authentication, identification, etc. In practice, relevant attacks [9,17,19,18] still occur in the industry, with financial fraud related to payment systems rising in the last few years: for example, in the UK, there has been a 80 percent increase in value of losses between 2011 and 2016, when the fraud losses were £618 million [24].…”

Section: Introductionmentioning

confidence: 99%

A Methodology for Protocol Verification Applied to EMV® 1

Freitas

Modesti

Emms

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The EMVCo 3 organisation (i.e. MasterCard, Visa, etc.) protocols facilitate worldwide interoperability of secure electronic payments. Despite recent advances, it has proved difficult for academia to provide an acceptable solution to construction of secure applications within industry's constraints. In this paper, we describe a methodology we have applied to EMV1. It involves domain specific languages and verification tools targeting different analysis of interest. We are currently collaborating with EMVCo on their upcoming EMV R 2 nd Generation (EMV2) specifications.

show abstract

“…Contactless cards are always on and a malicious reader in the proximity of such a device is able to trigger a response from the card, without the user's awareness. A number of security and privacy violations have been reported in the literature exploiting such unauthorised readings [17]. More security attacks include different types of relay attacks such as Man-in-The-Middle and Mafia attacks [18,21,30,35].…”

Section: Introductionmentioning

confidence: 99%