Litcius/Paper detail

Man-in-the-Middle Attack on Contactless Payment over NFC Communications: Design, Implementation, Experiments and Detection

Sajeda Akter, Sriram Chellappan, Tusher Chakraborty, Taslim Arefin Khan, Ashikur Rahman, A. B. M. Alim Al Islam

2020IEEE Transactions on Dependable and Secure Computing29 citationsDOI

Abstract

A recent development emanating from RFID technology is Near Field Communication (NFC). Basically, NFC is a popular short range (<10 cm) wireless communication technology with applications in areas sensitive to security and privacy concerns such as contactless payment. Since NFC communications require very close proximity between two communicating devices (e.g., a smartcard and a terminal), it is generally believed that Man-in-the-Middle (MITM) attacks are practically infeasible here. Contrasting this belief, in this paper, we successfully establish MITM attack in NFC communications between a passive tag and an active terminal. We carefully present physical fundamentals of the attack, our engineering design, and results of successful attack implementation. Subsequently, we present the practical applicability of our MITM attack that exploits a potential vulnerability in EMV based contactless payment protocol, which arises due to separation between card authentication and transaction authorization phases. We demonstrate how an attacker can compromise the integrity of a contactless payment using a malicious MITM card, and also present multiple attack/victim scenarios to analyze different types of impacts of our attack. Further, we conduct rigorous experimental studies to analyze both hardware and practical ramifications of our attack. Finally, we propose a mechanism to detect the MITM attack based on experimental analysis that demands no additional hardware.

Topics & Concepts

Man-in-the-middle attackNear field communicationComputer scienceComputer securityExploitSmart cardVulnerability (computing)Contactless smart cardAuthentication (law)PaymentWirelessComputer networkTelecommunicationsUltra high frequencyWorld Wide WebUser Authentication and Security SystemsPhysical Unclonable Functions (PUFs) and Hardware SecurityAdvanced Authentication Protocols Security