Security Analysis and Implementation of Relay-Resistant Contactless Payments

Boureanu, Ioana; Chothia, Tom; Debant, Alexandre; Delaune, Stéphanie

doi:10.1145/3372297.3417235

Cited by 10 publications

(6 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…First, neither our framework nor those proposed in [19,44,45] take mobility into account. We think that this is achievable following the approach recently proposed in [13]. This model allows agents to perform arbitrary movements as soon as they do not move faster than messages.…”

Section: Discussionmentioning

confidence: 99%

So Near and Yet So Far – Symbolic Verification of Distance-Bounding Protocols

Debant

Delaune

Wiedling

2022

ACM Trans. Priv. Secur.

Self Cite

View full text Add to dashboard Cite

The continuous adoption of Near Field Communication (NFC) tags offers many new applications whose security is essential (e.g., contactless payments). In order to prevent flaws and attacks, we develop in this article a framework allowing us to analyse the underlying security protocols, taking into account the location of the agents and the transmission delay when exchanging messages. We propose two reduction results to render automatic verification possible relying on the existing verification tool ProVerif . Our first result allows one to consider a unique topology to catch all possible attacks. The second result simplifies the security analysis when considering Terrorist fraud. Then, based on these results, we perform a comprehensive case study analysis (27 protocols), in which we obtain new proofs of security for some protocols and detect attacks on some others.

show abstract

Section: Discussionmentioning

confidence: 99%

So Near and Yet So Far – Symbolic Verification of Distance-Bounding Protocols

Debant

Delaune

Wiedling

2022

ACM Trans. Priv. Secur.

Self Cite

View full text Add to dashboard Cite

show abstract

“…RRP was first formally verified in [5]. [44] performs a timing analysis of RRP and finds it secure, but without varying the positions of the card in the field, as we do.…”

Section: Related Workmentioning

confidence: 98%

“…Symbolic Verification of EMV: Past symbolic-verification models of EMV include [48], [2], [8] and of EMV with distance bounding [47], [26], [5], [49], [44].…”

Section: Related Workmentioning

confidence: 99%

2022 IEEE Symposium on Security and Privacy (SP)

2022

View full text Add to dashboard Cite

Relay attackers can forward messages between a contactless EMV bank card and a shop reader, making it possible to wirelessly pickpocket money. To protect against this, Apple Pay requires a user's fingerprint or Face ID to authorise payments, while Mastercard and Visa have proposed protocols to stop such relay attacks. We investigate transport payment modes and find that we can build on relaying to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone to any EMV reader, for any amount, without user authorisation. We show that Visa's proposed relay-countermeasure can be bypassed using rooted smart phones. We analyse Mastercard's relay protection, and show that its timing bounds could be more reliably imposed at the ISO 14443 protocol level, rather than at the EMV protocol level. With these insights, we propose a new relay-resistance protocol (L1RP) for EMV. We use the Tamarin prover to model mobile-phone payments with and without user authentication, and in different payment modes. We formally verify solutions to our attack suggested by Apple and Visa, and used by Samsung, and we verify that our proposed protocol provides protection from relay attacks.

show abstract

“…The recent work of Basin, Sasse, and Toro-Pozo [6] contains an overview of attacks on EMV that can lead to fraudulent transactions, e.g., criminals can make high-value purchases using a contactless Visa card without knowing the PIN. Contactless specific relay attacks may be mitigated by using distance-bounding techniques [7], e.g., Boureanu et al verified Mastercard's relay-resistant EMV protocol PayPass-RRP [8].…”

Section: Related Workmentioning

confidence: 99%

Breaking and Fixing Unlinkability of the Key Agreement Protocol for 2nd Gen EMV Payments

Horne¹,

Mauw²,

Yurkov³

2021

Preprint

View full text Add to dashboard Cite

To address privacy problems with the EMV standard, EMVco proposed a Blinded Diffie-Hellman key establishment protocol. We point out that active attackers were not previously accounted for in the privacy requirements of this proposed protocol, despite the fact that an active attacker can compromise unlinkability. Here, we adopt a strong definition of unlinkability that does account for active attackers and propose an enhancement of the protocol proposed by EMVco where we make use of Verheul certificates. We prove that our protocol does satisfy strong unlinkability, while preserving authentication.

show abstract

Security Analysis and Implementation of Relay-Resistant Contactless Payments

Cited by 10 publications

References 11 publications

So Near and Yet So Far – Symbolic Verification of Distance-Bounding Protocols

So Near and Yet So Far – Symbolic Verification of Distance-Bounding Protocols

2022 IEEE Symposium on Security and Privacy (SP)

Breaking and Fixing Unlinkability of the Key Agreement Protocol for 2nd Gen EMV Payments

Contact Info

Product

Resources

About