Visualización de formantes mediante un tercio de octava

There are a number of known vulnerabilities in the underlying technologies which support EMV contactless payments, these can be split into the following categories:

 eavesdropping contactless payments

 extending the effective range of NFC

These categories of vulnerability have one thing in common, they take advantage of the underlying contactless / NFC technology. They are very difficult to guard against and or prevent.

Eavesdropping, Skimming and Extended Range Reading

Contactless payments utilise the ISO-14443 wireless communications standard (International Standards Organisation, 2011), which is an open standard used in many different contactless applications on smartcard and mobile devices. Use of this common standard leaves contactless payments vulnerable to data hijacking attacks such as eavesdropping, skimming and extended range reading. The data gathered by these attacks include the 16 digit card number (PAN) and the card expiry date, which research shows is sufficient to create a new account on Amazon.com and make online purchases, as we will see in Chapter 6. This is due to the minimal security checks on some websites which do not enforce a full check on all of the card-not-present security fields recommended by EMV, i.e. the PAN, expiry date, CVV2, cardholder name and cardholder address. Therefore despite the cryptographic security that prevents cloning of EMV cards based on the data obtained through contactless eavesdropping, skimming and extended range reading; the data collected are still useful in performing card-not-present attacks.

Eavesdropping

A number of research projects have looked into the practicalities of eavesdropping the ISO-14443 wireless communications. These projects show that it is possible to eavesdrop the data from a contactless payment at a distance of 1 metre. The research does prove that eavesdropping produces exploitable data, thereby making the contactless EMV cards vulnerable to attack. However, the research also shows that the equipment required to perform contactless eavesdropping is very specialised requiring a great deal of electronics expertise to build. For instance Diakos et al. (2015) [54] presents excellent research which builds the eavesdropping equipment into everyday objects such as a shopping trolley. However, as the research also shows, the RF receiver and the signal processing equipment required are complex and would require a great deal of work to make the equipment portable enough to be used in real-word attack scenario.

This would make eavesdropping a much less attractive method of collecting credit card data when compared with skimming attacks using an NFC enabled mobile phone. Research by Francis et al. and research by Emms et al. show that skimming attack can be performed using off-the-shelf Android mobile phones which are very portable and discreet.

Hancke et al. (2011) [55] makes a comparison between eavesdropping and skimming attacks using the same equipment. The result of the comparison between the eavesdropping and skimming concludes that eavesdropping has the potential to read from a greater distance, however, the skimming provides

more reliable data reading. With eavesdropping being more susceptible to atmospherics, environmental conditions and RF interference.

Skimming

The popularity of NFC enabled Android mobile phones provides a perfect attack platform for contactless skimming as demonstrated in (Francis L, Hancke G, Mayes K, Markantonakis K., 2012) [57]. However, that is not the only potential attack vector, an attack platform was developed that masquerades as an NFC door reader by [49]. The door reader accesses all of the cards in a victim’s wallet before activating the door opener. Our multiple card reader software utilises the standard anti- collision functionality present in the ISO 14443 standards [59] (part 3). Emms et al. (2013) [27] exploit the EMV offline Pin verify command from contactless interface. Contactless transactions do not require the cardholder to enter their PIN. However, the researchers discovered the offline PIN verify command is functionally available on most of the UK issued payment cards. This PIN verify command can be exploited by an attacker to guess the card PIN without blocking the card. The research demonstrated a viable attack scenario where a contactless physical access control reader is programmed with part of an EMV transaction protocol. When the user scans a wallet with payment card onto the access control reader, it selects a payment application on the card. Figure 14 shows a Verify PIN protocol sequence implemented by the reader. It can be seen from the figure that, the reader, after selecting the payment application, gets the number of PIN attempts left of the card. If not zero, the reader attempts a PIN verify command with a random PIN on the card. The command is executed until the right PIN for the card is guessed or until the PIN counter is zero.

Extended Range Contactless Reading

The maximum practical communication range of EMV contactless payments cards is approximately 10cm. EMV uses the restricted communications range of ISO 14443 as a design security feature. The cardholder authorises the payment by tapping their card on the POS terminal, the assumption being that the cardholder must be present at the merchant location to authorise the payment.

There has been significant research into the extending the read range of contactless payment cards. Kirshenbaum and Wool (2006) [60] demonstrates that ISO 14443 cards can be read at a distance of 30cm which is 6 times the design distance. The experiments show that to increase the effective reading range of ISO-14443 cards that reader must increase the transmission power from 200mW to 4 Watts and increases the antenna size from 5cm diameter to 50cm diameter.

Hancke et al. (2011) [55] introduces an interesting concept, it utilises two separate antennas to extend the reading range. A standard ISO 14443 reader uses a single antenna to power the card, transmit data to the card and to receive the card responses. The two antenna approach uses one antenna to power and transmit, it uses the second antenna to receive the card responses. Using a second receiving

antenna allows the attack to increase the reading range of ISO 14443 whilst using less signal power and smaller antenna diameters.

One of the attack scenarios explored in Oren et al. (2013) [61] is a “mafia fraud attack” scenario. The POS terminal (“ghost”) which is dedicated to receiving fraudulent transactions. An extended range contactless reader (“leech”) is used to capture transactions from passing victims at a range of 1 meter whilst the contactless payment card is still in the victim’s wallet. The “ghost” and the “leach” are connected by the relay allowing them to be many kilometres apart.

Emms et al. (2014)[28] demonstrated another practically viable attack on the EMV contactless cards. The researchers were able to bypass the contactless transaction limit from £30 in the UK to a million Euros. The flaw in the protocol is exacerbated by the fact that the EMV contactless specifications does not define the transaction value limits for transactions made in foreign currency to the card. For example, if the card is issued in the UK, an attacker can practically bypass the transaction limit by attempting a transaction in currency type other than GBP.