Transcription
A Secure Credit Card Protocol over NFCOliver JensenMohamed GoudaLili QiuUniversity of TexasAustin, TexasUniversity of TexasAustin, TexasUniversity of TexasAustin, ACTNFC (“Near Field Communication”) is a short-range wireless communication channel. The current NFC credit cardprotocol allows a contactless credit card to communicatewirelessly with a Point-of-Sale in order to perform a purchase. This protocol is vulnerable to four common attacks:eavesdropping, skimming, relay attacks, and compromisedPoints-of-Sale. The attacker’s objective is twofold: stealingsensitive information, and performing unauthorized. We usestepwise refinement to design a secure NFC credit card protocol which defends against all four of these attacks. Theresulting protocol does not use heavyweight cryptographicoperations, instead using only inexpensive primitives such aspre-computed hashes, indexing, and XOR operations. Moreover, it explores the lower-bound of computation requiredon the card to mount an effective defense against these fourclasses of attacks. As such, the energy and computationalrequirements of the credit card in our protocol are kept toa minimum.CCS Concepts Networks Protocol correctness;KeywordsCredit card payments; secure mobile payments; Near FieldCommunication (NFC); authentication, privacy;1.INTRODUCTIONContactless credit card payment systems are rapidly gaining popularity. Such systems allow customers to pay usingtheir credit cards by simply bringing the card close to aPoint-of-Sale, and without actually swiping or necessarilycoming into direct contact with the credit card reader. Thisis advantageous because a Point-of-Sale’s ability to read acredit card is no longer contingent on reading the creditcard’s magnetic strip, notorious for becoming demagnetizedor being difficult to read due to dirty or corroded contactsPermission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. Copyrights for components of this work owned by others than theauthor(s) must be honored. Abstracting with credit is permitted. To copy otherwise, orrepublish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from permissions@acm.org.ICDCN ’16, January 04 - 07, 2016, Singapore, Singaporec 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM.ISBN 978-1-4503-4032-8/16/01. . . 15.00DOI: texas.eduon the reader. As a result, the system becomes more robustwith fewer parts needing regular service.The wireless communication channel used for contactlesscredit cards is NFC, or “Near Field Communication”. NFCis a form of RFID (“Radio Frequency Identification”). Likemany RFID protocols, it operates at a frequency of 13.56Mhz and employs a model where one of the two communicating parties may be passive. Passive tags have no powersource of their own, and instead draw power via magnetic inductance from the reader while communication occurs. Butunlike most RFID protocols wherein passive tags can be readat a distance of up to about 1 meter, the range of NFC isextremely limited: a passive NFC tag’s communications canonly be read within a range of about 2-4 centimeters. It isa combination of these two properties—the ability to communicate with a device lacking a power source (i.e. a creditcard), and the very short range—that makes NFC attractive for credit cards. The former property is desirable forconvenience, the latter for security.NFC is a simple, plain-text communication channel. Assuch, any mechanisms for message confidentiality, integrityor authentication need to be implemented on top of NFC. Aswe show in Section 2 and 3, contactless credit cards do littleto protect these transmissions. Instead, they rely on theshort range of NFC to justify the assumption that maliciousnodes will not be within range of a contactless credit cardwhile escaping the victim’s notice.As a result, the contactless credit card protocol is vulnerable to four common attacks which we detail in section3: eavesdropping, skimming, relay attacks, and data theftdue to compromised Points-of-Sale. The objective of theseattacks is twofold: stealing sensitive credit card information (such as the credit card number and expiration date),and performing purchases which were not authorized by thecredit card holder.These vulnerabilities are not merely theoretical. Rather,they are being widely exploited in the wild. For example, attacks compromising Points-of-Sale have resulted in the theftof credit card information of tens, if not hundreds, of millionsof credit cards, and have earned notoriety in recent monthswith mainstream news-outlets such as the Wall Street Journal and the New York Times [15] [16] [2] [7] [10], due to thesheer scale of these attacks.The primary contributions of this paper are as follows:1. We identify prevalent attacks on the NFC credit cardprotocol.2. We design an alternative credit card protocol whichdefends against all of these attacks.
3. We use stepwise refinement to construct this secureprotocol and prove its correctness in the face of theseattacks.4. Our secure credit card protocol is constructed to explore the lower-bound of required computation to defend against these attacks, avoiding expensive computation on the credit card. We do not use heavyweight cryptographic primitives such as public-key infrastructure. Instead, our protocol uses only inexpensive primitives such as pre-computed hashes, indexing,and XOR operations, while still being provably safe inthe face of the enumerated attacks.5. Our protocol ensures that retailers maintain their ability to correlate purchases from the same credit card.We recognize that altering currently-running systems isdifficult, particularly so in the payment industry. As such,we suggest a method of using our proposed protocol whileavoiding any changes to currently running payment processing systems. We accomplish this by defining an additionalsystem within the bank, a “payment proxy” which can translate our secure protocol’s charge requests into those of thecurrent protocol. By avoiding any changes to existing systems, we gain the additional benefit that banks may continueto support Points-of-Sale which use the current (insecure)protocol. In so doing, we hope to ease adoption within anindustry that is very resistant to change or modification.2.NFC AND THE CURRENT CCPROTOCOLNFC (“Near Field Communication”) is a widely-adoptedshort-range wireless communication channel. It is designedfor communication between an active (powered) reader anda passive tag, where the tag is powered by the reader throughmagnetic inductance. NFC is based on RFID. and has manysimilar physical characteristics, while ensuring a very limitedrange of about 2-4 cm around a passive tag.The physical NFC specification is designed to provide sufficient power to passive tags for expensive operations, including those necessary for public-key cryptography. However, the circuitry and computational ability of tags themselves vary greatly. Some tags, such as the German NationalID card, employ traditional public-key infrastructure (PKI).Other tags, such as Mifare Classic tags, are limited to storing, retrieving, incrementing and decrementing data blocks,but utilize stream ciphers and challenge-response mechanisms to protect communications. Current contactless creditcards are capable of only very limited computation, and donot engage in any cryptographic operations.The protocol for performing contactless credit card transactions over NFC (termed CC Protocol ) is composed of twoquery-response pairs. First, the NFC reader (hereafter referred to as a Point-of-Sale) solicits the card for its creditcard number and expiration date, and the card respondswith this information. In its response, the credit card alsoincludes an iCVV, or integrated Card Verification Value: adynamic security token intended to authenticate the message. Once this has completed, the Point-of-Sale sends acharge request to the bank with the information receivedfrom the credit card, and then receives an authorization response to accept or reject the charge.Figure 1: The current CC ProtocolBankPoint-of-SaleCredit Cardsolicitationcard informationcharge requestauthorizationThe exchange of messages in the CC Protocol is shown inFigure 1. They are: solicitation, card information, chargerequest and authorization. Note that after the card respondsto the Point-of-Sale, its involvement in the transaction iscomplete. The contents of these messages are as follows:Solicitation: First, the Point-of-Sale solicits the credit cardfor its information. The solicitation is composed of anumber of messages sent in both directions, identifyingthe Point-of-Sale type (e.g. 2PAY.SYS.DDF01) and thecredit card type (e.g. VISA CREDIT). Since these messages are constant for a given Point-of-Sale and creditcard, we abstract the solicitation messages as a singlerequest from the Point-of-Sale to the credit card.Card Information: The credit card responds to the solicitation by sending back the following card information: the credit card number the credit card’s expiration date the iCVV the name of the bank that issued the cardThe iCVV is an unpredictable 4-byte value freshly generated for every solicitation response, and is subsequently used by the bank to validate the transactionas described below.Charge Request: The Point-of-Sale issues a charge request to the bank. This request is composed of: the credit card number the credit card’s expiration date the iCVV the dollar amount to be chargedAuthorization: When the bank receives a charge request,it uses the credit card number to look up the account,verifies the expiration date, and then validates theiCVV to authorize the purchase. It will generally alsoperform some additional checks, such as verifying thatthe card was not reported lost or stolen, or matchingthis purchase’s location against the known location ofthe card holder. Finally, it responds with its authorization decision.When the credit card is manufactured, a secret seed valueis shared between the credit card and the bank. This enables the credit card and the bank to both generate the
same iCVV sequence, unpredictable to any party that doesnot have access to this seed. The iCVVs are simply sequential elements of this sequence1 : each time the credit cardresponds to a solicitation, it generates the next iCVV in thesequence and includes it with the card information response.In order to make an authorization decision, the banksearches through its account database, which is indexed bythe credit card number. Once the bank locates the account,it verifies that the received expiration date matches the expiration date on file. In addition, it recalls the iCVV fromthis credit card’s previous charge request and generates thenext element in the sequence, then compares the receivediCVV to the value it generated.It is possible that a card may generate an iCVV without communicating it to the bank. For example, a chargerequest may become corrupted in transit, or a Point-of-Salemay experience a network failure. As a result, a credit card’siCVV may have advanced further in the sequence than thebank expects. To handle this situation, the bank may generate several iCVVs in the sequence for comparison to thereceived value.If a match is found, the bank considers the iCVV to bevalid. It updates its state into the pseudorandom sequenceto reflect the received iCVV, and continues with any otherchecks to be performed before authorizing the charge. If nomatch is found, the bank considers the iCVV to be invalidand declines the charge.3.ATTACKS ON THE CC PROTOCOLThe current CC protocol has several aspects which renderit dangerous. Sensitive data is transmitted in the clear, canbe re-used by malicious parties, is learned by potentially insecure systems. Neither the Point-of-Sale nor the credit cardauthenticate to each other. Furthermore, proximity is usedas an indicator of intent, requiring a card holder to maintain constant vigilance on the surroundings of their creditcards. These aspects invite a number of security attacks onthe protocol.In this section, we describe four types of security attackson the current CC protocol that have previously been published: eavesdropping, skimming, relay attacks, and attacksfacilitated by compromised Points-of-Sale. We highlight thepracticality of these attacks. For example, eavesdropping,skimming, and relay attacks can be easily performed with nomore than a phone with NFC capabilities, or a small numberof inexpensive off-the-shelf components. Also, Points-of-Salehave been so widely exploited and compromised that withinthe last several years it has been reported on by most mainstream news organizations. Indeed, headlines regarding datatheft from compromised Points-of-Sale have diminished notbecause the attacks have slowed, but because they have become so prevalent they are no longer headline-worthy.3.1EavesdroppingThe goal of an eavesdropper is to gain the victim’s creditcard information such as the credit card number and expiration date. Eavesdropping is a passive attack, where the1The precise implementation of the iCVV is not a publishedstandard, and indeed may vary between card manufacturers.We assume that it is simply a 4-byte pseudorandom value,as output by a seeded pseudorandom number generator onthe credit card.eavesdropper hears all communication between the Point-ofSale and the credit card. (Communication between the bankand the Point-of-Sale is assumed to be secure.) An outlineof this attack is shown in Figure 2.Figure 2: EavesdroppingBankPoint-of-SaleEavesdropperCredit Cardsolicitationcard informationcharge requestautho
Contactless credit card payment systems are rapidly gain-ing popularity. Such systems allow customers to pay using their credit cards by simply bringing the card close to a Point-of-Sale, and without actually swiping or necessarily coming into direct contact with the credit card reader. This is advantageous because a Point-of-Sale’s ability to read a credit card is no longer contingent on .
