Maryam Mehrnezhad Feng Hao Siamak F. Shahandashti Newcastle university, UK CryptoForma meeting, Belfast 4 May 2015 Tap-Tap and Pay (TTP): Preventing The Mafia Attack in NFC Payment

What is NFC payment? An upcoming technology that uses RFID for contactless payments Holding card in front of reader without entering PIN Using an NFC-enabled mobile Google wallet, Apple pay, Android Pay It is estimated that mobile NFC payment will reach 670 billion US dollars by 2015 ( Juniper Research, leading analyst firms in the mobile and digital tech sector).

What is Mafia attack? Mafia Fraud MITM attack Relay attack Wormhole Attack Ghost and leech attack Reader and ghost attack

The idea Observation: as the result of physical tapping between a pair of devices, the tapping creates transient vibrations, which can be measured using embedded accelerometer sensors. To be similar if from the same tapping different if from different tappings By comparing the similarity of the two measurements, we distinguish the Mafia attack from a normal NFC transaction.

TTP overview

Is it possible?

Previous works Other sensor data: GPS, Light, Audio, temperature … We DO NOT assume that the attacker's reader is in a different environment as the legitimate reader.

Implementation

Sensor data processing Accelerometer data Sequence of 3 dimensional measurements Vector length to include all dimensions Derivatives to remove the noise and bring the sequences in the same scale Sequence alignment Identifying the peaks and cutting the sequence 0.2 seconds before the first peak and after the second peak 0.6 to 1.5 seconds

Similarity comparison Correlation coefficient (time domain) Coherence (frequency domain) Energy difference Estimates how strong the users tap the distance of two signals in term of the total signal energy levels Peak Gap Difference Roughly estimates how fast the users tap The difference of the distances of the two extremums in two sequences TTP Decision Engine is a combination of all parameters (weighted sum)

Performance Evaluation Host Card based Emulation in Android 23 volunteer user, Each five times Presented with a Video guide MyMobiler to operate the reader Further analysis in Matlab

Results False negative rate (FNR) Honest transaction fails False positive rate (FPR) Mafia transaction succeeds Equal Error Rate (EER) Where the curves (based on threshold) meet 9.99% 1.1 attempts, honest user 10 attempts, attacker

Usability Study 22 users, Two tasks Presented with a brief Study description Asked to fill a questionnaire Rate (convenience, speed, and feeling of security) Free comments

Findings

Contactless payment is more convenient “... the fact that I need to keep the device close to the reader after tapping made the experience less convenient". TTP is faster “…Even [though] I had to tap twice, but the process felt faster comparing to the first one. I feel after tapping I automatically bring the phone close enough to the reader, but in first task, my phone was not close for a while and it took longer". TTP feels more secure “As before [i.e. task 1] payment is very easy. I like the action of tapping the reader as this made me feel more in control of when the transaction took place. I felt this method [TTP] was more secure due to the action of tapping to start the transaction. This meant I know when the transaction took place". “The payment [in task 1] is very easy, but I don't know when the connection between wallet and reader is made; range or time, so I would keep my payment device away from the reader to be sure until I want to pay."

Conclusion TTP is a simple and effective solution against the Mafia attack and it works when both attackers share the similar environment. Future work: Improving the error rate by using multiple sensors and more accurate ones in newer mobiles How to augment contactless cards with an accelerometer Barclay bPay band

Thanks

#Fesenjoonthecat