Currently, many smart cards are being shipped with a contactless feature. This feature is built upon the RFID (radio frequency identification) technology and enables communication between the chip on the card and terminals without physical contact (http://tinyurl.com/n23f46h).
To be able to communicate with these cards, terminals make use of NFC (near field communication) which, is capable of transmitting and receiving information from the card (http://tinyurl.com/pkgug5m). NFC technology is designed to work in close proximity (just a few centimeters), and due to this restriction is considered fairly secure.
In order to speed up low value transactions, contactless payments don’t require the cardholder to authenticate. Cardholder authentication will only be required depending on factors like value of the transaction (individual or cumulative) or number of contactless payments per day. However and, despite the fact that the cardholder does not need to authenticate himself, contactless cards are still compliant with the EMV standard (thus, follow all the phases of the protocol) since the CVM (cardholder verification method) list contains the option “NONE” that indicates that no verification is required.
So, in short, the contactless feature introduces cards that for some operations don’t require any type of physical contact or authentication to execute a payments. Another important fact to notice is that, these cards are passive in the sense that they do not produce any perceptible sign that they are being used. This not only increases the attack surface of such cards, but also introduces a new attack vector, the contactless feature.
Since the introduction of NFC capabilities on smartphones, reading contactless cards has become quite simple (and cheap). Several researches have shown that is possible to exploit this feature to abuse such cards.
A paper by researches from the Royal Holloway University (http://tinyurl.com/o2o5puo) shows that is possible transform a smartphone with NFC into a terminal or a card. They do this by installing custom made software on a smartphone that enables them to read the information provided by a smart card. Once they get the information, they then use the smartphone has a contactless card. A practical demonstration of a similar attack is performed by a journalist of Komo 4 News.
Digital pickpockets using technology to steal credit cards
The same researches have also published another paper where they describe a relay attack (http://tinyurl.com/pjeazbp). In relay attacks (also know as wormhole attacks), an attacker personificate the terminal to the card, and the card to the terminal in “real time”. He does this by using two distinct NFC devices, one near the card and another at the terminal. He, then transmits the messages that he is receiving from the card to the terminal and vice versa.
Relay attack
An attack of different nature is described by a group of Newcastle University (http://tinyurl.com/k8v3m99). In this attack, they make use of the contactless feature of the cards to try and guess their PIN. To carry out the attack, they take advantage of a few features of the smart cards:
- It is still possible to require a PIN verification in the contactless “mode”.
- Although there is a limit on the number of incorrect PIN tries, the counter that keeps tracks of the incorrect PIN entries is reseted when a correct PIN is inserted.
- From all the possible PIN combinations, there is a subset of PINs that is more used.
- People tend to store their cards in the same place.
- PIN verification can be made in offline mode.
This attack is based on a very specific scenario that over time, can give the attacker unlimited PIN tries. Imagine that you frequently have to use an RFID card (for example to enter an leave your work place), that you store this card with all your other cards on your wallet and, that to use the card, you just approach your wallet to the reader instead of, taking the card out of your wallet. An attacker can make use of the reader to try and guess your PIN during this moment. All that he has to do is read the number of PIN tries that are left on the card, and if this number is bigger than one (not to arouse suspicious) he selects one PIN and gives it to the card. He then waits for the reply that is either success or failure. When the number of tries left is one, he stops so that, the cardholder does not suspect that incorrect PINs where feed to the card and he executes the reset on the number of tries when he uses the card. Once the PIN is discovered, the attacker can identify the cardholder by making the examining the the ID card information.
PIN validation attack algorithm
Although this attack may seem a bit farfetched, when you combine it with a location with many possible victims, the success rate may be considerable.
Currently, Caixa Geral de Depositos allows a max of 60€ per day (20€ max per transaction) before asking for cardholder verification (http://tinyurl.com/ncaw7tl). Now imagine that an attacker can perform any these attacks in places where you have many people and physical proximity is not suspicious (for example, public transportation during rush hour), can you guess how many money will he be able to divert before being discovered?
This article will continue in a third part that, will talk about cardless payment systems, how they work and conclude about all the three parts.
0 comentários :
Post a Comment