- Jan 24, 2011
- 9,378
Researchers at Newcastle University in the UK have come up with a surprising way of attacking contactless payments.
Their paper is ominously entitled Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN.
It will be presented on Wednesday 05 November 2014 at the 21st ACMConference on Computer and Communications Security in Scottsdale, Arizona.
Very greatly simplified, it's a special sort of Man in the Middle (MitM) attack that could, at least in theory, be used to trick the owners of contactless payment cards into spending enormous sums of money without realising it.
Paying without touching
Contactless bank payments usually rely on Near Field Communication (NFC) – the same sort of electronics used in public transport cards such as London'sOyster or Sydney's Opal.
These let you authorise payments simply by waving your card near a suitable payment terminal.
As you pass your card through an electromagnetic field generated by the terminal, a coiled-up antenna buried in your payment card produces a tiny electrical current.
That's enough to wake up the card's chip, which then reads in some data wirelessly, performs various cryptographic calculations on it, and sends back a reply.
The antenna functions as an electrical generator coil to start with, and then as a regular antenna for the rest of the process, which typically takes a fraction of a second.
→ Typically, you have to get your card very close indeed, perhaps even tapping your card onto the terminal, but you don't have to slide or insert the card into any sort of slot. The data is received, processed and transmitted without any physical circuit between the card and the terminal.
In theory, then, a crook could work the payment the other way around, by waving a suitably rigged payment terminal near your card, telling your card it wanted to buy a Caffè Americano, getting it to approve the transaction, and pocketing the cash.
This works because, for small-value transactions, the card and the terminal agree that they won't ask for your PIN.
The bank, the merchant and the cardholder (that's you) effectively have a arrangement to forgo the second factor of authentication (i.e. typing in your PIN) when the amount you're spending is below £20.
Managing the risks
In marketing jargon, the transaction is made frictionless for your convenience, with the risks kept in check because:
He'd have to risk bumping noticeably up against your pocket, or dipping his terminal right into your bag next to your wallet, with a maximum return on his risk of £20 each time.
Two tricky problems
However, at least in the case of VISA contactless payments, the Novocastrian researchers found two problems.
Firstly, the "must enter PIN for more than £20" restriction may be ignored by your card if the transaction is requested in a foreign currency.
Secondly, an additional safeguard prohibiting offline transactions for more than £100 may be ignored, too.
(In offline transactions, your card tells the terminal it is willing to spend the requested sum, and commits to the transaction without involving the bank; the terminal can submit the transaction for processing by the bank later on.)
In fact, the authors found, in some cases, that the limit on offline, PINless VISA transactions in foreign currencies isn't limited to any equivalent value in your local currency.
It's limited to eight digits' worth of that currency, presumably to accomodate currencies where large numbers are needed to represent even a modest value.
Suddenly, the risk/reward is tipped in the favour of the crook.
In you're in the UK, for example, he could ask your card to agree to pay up a whopping US$999,999.99, without having to go online and without you needing to enter your PIN.
That's a million bucks, less a penny, no PIN required!
Later on, when the crook is safely clear of the area where he clocked up the fake purchases, he can connect to his accomplices and send them his fraudulent transaction agreements; they can then process those payments, unrestricted by the limits that would have applied if you had bought something in your own currency.
Only then will you receive any transaction notifications from your bank, for example via SMS.
Read more: http://nakedsecurity.sophos.com/201...n-dollars-actually-999999-99-no-pin-required/
Their paper is ominously entitled Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN.
It will be presented on Wednesday 05 November 2014 at the 21st ACMConference on Computer and Communications Security in Scottsdale, Arizona.
Very greatly simplified, it's a special sort of Man in the Middle (MitM) attack that could, at least in theory, be used to trick the owners of contactless payment cards into spending enormous sums of money without realising it.
Paying without touching
Contactless bank payments usually rely on Near Field Communication (NFC) – the same sort of electronics used in public transport cards such as London'sOyster or Sydney's Opal.
These let you authorise payments simply by waving your card near a suitable payment terminal.
As you pass your card through an electromagnetic field generated by the terminal, a coiled-up antenna buried in your payment card produces a tiny electrical current.
That's enough to wake up the card's chip, which then reads in some data wirelessly, performs various cryptographic calculations on it, and sends back a reply.
The antenna functions as an electrical generator coil to start with, and then as a regular antenna for the rest of the process, which typically takes a fraction of a second.
→ Typically, you have to get your card very close indeed, perhaps even tapping your card onto the terminal, but you don't have to slide or insert the card into any sort of slot. The data is received, processed and transmitted without any physical circuit between the card and the terminal.
In theory, then, a crook could work the payment the other way around, by waving a suitably rigged payment terminal near your card, telling your card it wanted to buy a Caffè Americano, getting it to approve the transaction, and pocketing the cash.
This works because, for small-value transactions, the card and the terminal agree that they won't ask for your PIN.
The bank, the merchant and the cardholder (that's you) effectively have a arrangement to forgo the second factor of authentication (i.e. typing in your PIN) when the amount you're spending is below £20.
Managing the risks
In marketing jargon, the transaction is made frictionless for your convenience, with the risks kept in check because:
- The "Near" in NFC limits the range at which your card will work.
- The maximum value of any PINless transaction is deliberately kept low.
He'd have to risk bumping noticeably up against your pocket, or dipping his terminal right into your bag next to your wallet, with a maximum return on his risk of £20 each time.
Two tricky problems
However, at least in the case of VISA contactless payments, the Novocastrian researchers found two problems.
Firstly, the "must enter PIN for more than £20" restriction may be ignored by your card if the transaction is requested in a foreign currency.
Secondly, an additional safeguard prohibiting offline transactions for more than £100 may be ignored, too.
(In offline transactions, your card tells the terminal it is willing to spend the requested sum, and commits to the transaction without involving the bank; the terminal can submit the transaction for processing by the bank later on.)
In fact, the authors found, in some cases, that the limit on offline, PINless VISA transactions in foreign currencies isn't limited to any equivalent value in your local currency.
It's limited to eight digits' worth of that currency, presumably to accomodate currencies where large numbers are needed to represent even a modest value.
Suddenly, the risk/reward is tipped in the favour of the crook.
In you're in the UK, for example, he could ask your card to agree to pay up a whopping US$999,999.99, without having to go online and without you needing to enter your PIN.
That's a million bucks, less a penny, no PIN required!
Later on, when the crook is safely clear of the area where he clocked up the fake purchases, he can connect to his accomplices and send them his fraudulent transaction agreements; they can then process those payments, unrestricted by the limits that would have applied if you had bought something in your own currency.
Only then will you receive any transaction notifications from your bank, for example via SMS.
Read more: http://nakedsecurity.sophos.com/201...n-dollars-actually-999999-99-no-pin-required/
