Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.

Slides:



Advertisements
Similar presentations
National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Advertisements

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
Credit Card Fraud The Scale of the Problem Michael Moore Regional Security & Fraud Investigation Manager 14 – 17 Nov 2005 Security & Safety – Middle East.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Vice President, e-Business Development Dubai United Nations Conference on Trade & Development Conference on Electronic Commerce.
Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Joe SimonettiT-FLEx Workshop T-FLEx October Workshop The Future of Fare Collection Bank Card Transactions & Merchant Processing Joseph Simonetti October.
Mobile Payment Solutions and the EMV/PCI Impact
Chapter 8 Web Security.
EMV’s Impact on U.S. Retailers – It’s Coming! Presented by: Chris Francis VP, Market Development February 21, 2014.
1 Financial Cryptography and Data Security 2013 Risks of Offline Verify PIN on Contactless Cards Martin Emms, Budi Arief, Nick Little, Aad van Moorsel.
BPOINT for Schools Information Guide for Parents.
Philip is a subject matter expert in Accenture’s Payment practice with more than 30 years experience across payments, transaction processing, networks,
AS Level ICT Selection and use of input devices and input media: Capturing transaction data.
EPS (Electronic payment system) is an online business process used for fund transfer using electronic means, i.e  Personal computers  services  Mobile.
Electronic Payment Systems University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot March 2010 March 2010 ITSS 4201 Internet.
BZUPAGES.COM Electronic Payment Systems Most of the electronic payment systems on internet use cryptography in one way or the other to ensure confidentiality.
An owner or “holder” of a credit or debit card or the person who is using a credit card to pay for goods or services CARDHOLDER.
Smart Cards By Simon Siu and Russell Doyle Overview Size of a credit card Small embedded computer chip – Memory cards – Processor cards – Electronic.
May 28, 2002Mårten Trolin1 Protocols for e-commerce Traditional credit cards SET SPA/UCAF 3D-Secure Temporary card numbers Direct Payments.
Secure Electronic Transaction (SET)
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
PCI DSS Readiness Presented By: Paul Grégoire, CISSP, QSA, PA-QSA
R U Ready? V M E EUROPAY MASTERCARD VISA EMVco was formed in 1999.
© 2014 CustomerXPs Software Pvt Ltd | | Confidential 1 Tentacles of Fraud #StarfishBanks CustomerXPs Software Private Limited.
Confidential – For Discussion & General Information Purposes Only EMV to Card Not Present Fraud Gavin Levin, CTP eReceivables Consultant.
1 1 Slide HOW CREDIT CARDS WORK. 2 2 Slide How Credit Cards Work n What the numbers on the card mean? n How the transactions work? n Main entities involved.
Agenda EMV – What Is It? EMV In The UK EMV Is Coming To The US
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
Getnationwide.com Let’s Talk about EMV Danielle Rourke.
CENTURY 21 ACCOUNTING © 2009 South-Western, Cengage Learning LESSON 10-2 Journalizing Cash Receipts Using a Cash Receipts Journal.
Web Security : Secure Socket Layer Secure Electronic Transaction.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
e-Learning Module Credit/Debit Payment Card Acceptance and Security
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
What does Chip offer Banks today?. CARD TYPES CREDIT DEBIT CHARGE PRIVATE LABEL PRE-PAYMENT MULTI FUNCTION.
What is a Smart Card Reader & Terminal. What is a smart card reader? Smart card reader, also known as smart card terminal, such as point of sale terminal,
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
Credit Card. Basic Knowledge about Credit Card A Credit card is a plastic card that provides a cardholder electronic access to his / her bank account.
CENTURY 21 ACCOUNTING © 2009 South-Western, Cengage Learning LESSON 10-2 Journalizing Cash Receipts Using a Cash Receipts Journal.
Confidential and Proprietary - NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES. ASTRA EMV Review/Best.
Online Decision Process
EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.
Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
Trusted source for all your payment processing needs.
Presented by David Cole Background to Chip. PAYMENT SYSTEMS HISTORY A POTTED HISTORY DINERS LAUNCH 1950 AMEX LAUNCH 1958 BANK AMERICARD 1959 MASTERCHARGE.
Presented by David Cole Changing the Card – Scripts.
Presented by David Cole
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
Risk Policy Considerations.  Floor Limits  Fallback considerations  Domestic v International  Credit control (VSDC+) overview  Fraud reporting 
Terminal Risk Management
Transaction Flow end-end
Eastern Ontario Treasurers Association
Online Payment Options for Government
Presentation transcript:

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications Security Martin Emms, Budi Arief, Leo Freitas, Joseph Hannon, Aad van Moorsel

Structure of presentation Brief overview of EMV contactless payments Overview of our work Analysis methodology High value foreign currency transaction flaw Science / Vulnerability / Attack Why it works MasterCard vs Visa contactless protocol Live Demonstration

EMV Contactless Payments 101 Magnetic Strip Contactless Chip & PIN Europay MasterCard Visa – “Chip & PIN” Used in 76 countries worldwide Dynamic transaction authorisation 3DES and RSA Contactless payments Fast / low value (£20) transactions - No PIN required Offline transactions - No card issuer authorisation Contactless transactions are designed to be a quick and convenient way to pay for low value purchases ($20) such as coffee or lunch. To make the transaction faster there is no PIN required from the cardholder. Make the card secure without the PIN entry; contactless is limited to 5 consecutive payments at £20 / $25 each. Contactless transaction limits USA $25 Australia $100 New Zealand $80 Europe €25 Ireland €15, UK £20

Overview of Our Work Analysis of EMV contactless payment protocol Contactless cards and mobile payments Software emulation of the contactless protocol Z abstract model of contactless protocol Methodology establishes link between “real world” errors and the EMV specification Bad implementation by card manufacturer Fundamental flaw in the specification Practical demonstrations for general public Overview of the objectives of our work Its all about the protocol because if the EMV contactless card protocol is broken, that means payment systems such as mobile contactless payments are also broken as they use the same protocol.

EMV Payment protocol specification 14 books 2392 pages 1 Chip & PIN protocol 7 contactless protocols Visa, MasterCard, American Express, JCB, UnionPay and Discover Greater complexity Greater potential for errors This is a very complicated specification... Contactless made the speck much more complex as each of the card payment schemes (Visa, MasterCard etc.) now have their own contactless payment protocol whereas in Chip & PIN they all conformed to the single protocol.

Analysis Method Interpreting the Specification EMV Specification References Tables UML Diagrams This is how we make sense of the complicated specification.

Analysis Method Modelling the Specification Abstract Model (Z notation) EMV Protocol Emulation Anomalies Test Cases Results We have built an Abstract model in Z and a software model in Java (the emulator) With these two we can investigate the robustness of the EMV protocol When we find a theoretical flaw with the Abstract Model we can investigate it with the Protocol Emulator to see if it exists in the real-world implementations of credit/debit cards an/or POS terminals. When a flaw in the specification is found we create a practical demonstration that (1) can be understood by the general public (2) shows that this is doable in the real-world and is not just an “academic exercise” as the banks like to claim. This enhances the impact of our work. Practical Demonstrations

Documenting the Link Error  Specification EMV Specification UML Diagrams + Reference Tables Practical Attack The methodology allows us to link the exploitable weakness back to the EMV specification. So where we have built a practical demonstration in Android we need to be able to say that this derives from our understanding in the UML diagram “here” which thru the table of references links back to the Book / Page and Section in the original EMV specification. This allows us to show that this is not just a bad implementation by a particular card manufacturer or POS terminal vendor. This is actually a fundamental weakness in the specification.

Contactless Foreign Currency: The Science Abstract Model for Visa fDDA transaction Pre-conditions - Amount, Currency and Date Transaction limit (£20) is in card’s home currency Transactions above the limit require PIN entry EMV Book 3 (version 4.3) page 163 “If transaction is in the application currency and is under X value” - (X = card transaction limit) What if transaction currency != application currency? How did we discover the foreign currency flaw? Transaction currency != Application currency is not specified so that lead us to ask the question what does the card do in that circumstance? Card cannot store currency tables as they would be hopelessly out of date...

Contactless Foreign Currency: The Vulnerability In a foreign currency, ALL cards say YES Bypasses transaction limits Max value 999,999.99 in any currency Contactless transactions => NO PIN required Attack can occur while card still in cardholders’ wallet Visa fDDA contactless transactions are offline No additional checks by the card issuer “Chip & PIN is broken” shows Application Cryptogram is not checked by the card issuer Visa cards say YES - does not know so defaults to YES

Contactless Foreign Currency: The Attack Send Transaction Victim’s Card Rogue Merchant €200 No PIN Capture Transaction Collect Funds Store Transaction

Why It Works: Chip & PIN Protocol Select(Application) Card Information GetProcessingOptions() AFL records list ReadRecord(AFL) Card public keys GenerateAC(Transaction) Auth Response Cryptogram (ARPC) Verify(PIN) OK / incorrect GenerateAC(ARPC) Application Cryptogram (AC) Issuer Bank POS terminal Credit/Debit Card ARQC ARPC + ARC Transaction + AC

Why It Works: MasterCard Contactless Protocol Select(Application) Card Information GetProcessingOptions() AFL records list ReadRecord(AFL) Card public keys GenerateAC(Transaction) Auth Response Cryptogram (ARPC) Verify(PIN) OK / incorrect GenerateAC(ARPC) Application Cryptogram (AC) Issuer Bank POS terminal Credit/Debit Card ARQC ARPC + ARC Transaction + AC

Why It Works: Visa fDDA Contactless Protocol Select(Application) Card Information GetProcessingOptions(Transaction) Application Cryptogram (AC) + AFL ReadRecord(AFL) Card public keys GenerateAC(Transaction) Auth Response Cryptogram (ARPC) Verify(PIN) OK / incorrect GenerateAC(ARPC) Application Cryptogram (AC) Issuer Bank POS terminal Credit/Debit Card ARQC ARPC + ARC Transaction + AC

Demonstration 1. Set the transaction amount - Same amount from each card 2. Set the transaction currency - UK = 0826, USA = 0840 3. Search for a contactless card - Audible alert when card found 4. Harvest the transaction - Transmit over Internet http://www.bbc.com/news/uk-england-tyne-29862080

Summary Bypasses contactless transaction limits NO PIN required to authorise the transaction Attacked while the card is in the wallet Android attack platform - NOT just in the lab Visa fDDA approved offline no Issuer checks Application Cryptogram (AC) is not checked Bad transactions accepted by issuing bank martin.emms@newcastle.ac.uk Visa cards say YES - does not know so defaults to YES

Contactless Attack Methods

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.