November 2014

Visa Contactless Smart Cards and the $999,999.99 Fraud

Visa_Contactless_Smart_cards_and_the_$999,999.99_Fraud

Contactless payment cards have long been a topic of conversation, if somebody brushed against you on the underground could they take your money? But before answering that we need to look at the latest discovery by security researchers at Newcastle University who have discovered that the Visa smart card software which has a £20 payment limit is not applied in any foreign currency. So if the terminal asks the card for $999,999.99 it will happily create the necessary cryptographically protected payment message and the terminal will think it has an authorised payment for the same amount. I’m a little surprised that none of the risk management controls are breached for such a high value but have no reason to doubt the Newcastle findings which they presented at the ACM Computer and Communications Security Conference in Scottsdale, Arizona this week.

Without needing to look much further it is obvious this is an implementation error and not a fundamental vulnerability in the contactless card concept. As a founder member of the ‘Fit for Purpose’ security society nothing in the Newcastle findings would make me want to move away from the contactless payments card concept. The point the team does raise however is why does the smart card not authenticate the terminal? Clearly if you take the card to a contactless terminal in your local supermarket it is highly likely to be authentic and accordingly would itself impose the £20 bar. However if you went to pay some unknown merchant in a street market with a mobile phone terminal the authenticity of the terminal is of greater concern. The rogue merchant does of course have to get the payment into an acquirer in the 4-Party payment model (Issuer, Cardholder, Merchant and Acquirer) and I would be somewhat surprised if they could get a $1m payment into the system without detection and unless your bank account is much better than mine the Issuer is unlikely to pay up.

So back to the two issues, the underground contactless cuddle, as it is affectionately known and the failure of the card to authenticate the terminal in the payment protocol. Let’s look at the terminal authentication first, how do you authenticate some entity? Simple, you ask it to prove it knows a secret, if anybody can come up with a simpler fool proof approach that would be very useful. The payment organisations have spent the last 20 years getting rid of secrets in terminals because of the difficulty of distributing the secrets to the terminals and keeping them secret in the terminal. The little twist to the story is who are you communicating with? In practice of course it is the Issuer because he is the one that needs to authenticate your instructions and pass forward the legitimate payment. You are in effect communicating with the Issuer through the merchant’s terminal, I think it might be a general rule not to make payments to suspicious merchants or terminals.

So now we get to the cuddling problem and just to put it in perspective there are two scenarios, covert listening to a contactless payment which would be possible over hundreds of metres and powering up a contactless card to make an unauthorised payment. If the protocol is implemented correctly the covert listening while not desirable does not provide sufficient data to allow fraudulent use of your card. The capability to power up the card and extract a payment is however clearly unacceptable. There are however two requirements, the ability to get enough power into the contactless card to power up the chip and the ability to implement the payment protocol. It is of course the ability to get power to the chip that is the problem and given that the magnetic near field varies inversely as the cube of distance the attacker would need a big battery unless he really could cuddle up to you on the underground. It is however fairly easy to prevent, any form of shielding around the card and even cooking foil would do trick. Smart sleeves can be bought at your local shop.

Dr David Everett, SCN Technical Researcher.





Whitepapers

19/12/2014 Headlines

Settlement between SMARTRAC and exceet concerning wire-embedding patents

SMARTRAC and exceet today announced an agreement that resolves the patent infringement litigation initiated by SMARTRAC against entities of exceet Group in the .....Read More

The SkySIM CX Hercules from G&D Makes Mobile Transactions More Convenient and Future-Proof

Giesecke & Devrient (G&D) is presenting the new SkySIM CX Hercules. The combination of the new chip design and software allows multiple applications to be run .....Read More

Gemalto Enables KDDI to Offer Secure HD Audio Services over LTE Network

Gemalto will provide KDDI with its UpTeq multi-tenant LTE SIM to secure their Voice over LTE (VoLTE) services. KDDI is a leading operator in Japan with 40 milli.....Read More

Seasons Greetings from Smart Card News

We wish you Seasons Greetings and a happy and prosperous New Year.

We will return on 5th January 2015, to bring you all the latest news and technology di.....Read More

FitPay Aims to Eliminate Effort from Wearable Payments

FitPay Inc., a wearable technology provider, is betting that the only way to change consumer behaviour is to eliminate consumer behaviour.

Its software i.....Read More

New Research Reveals More than Three Quarters of Organisations Have Suffered a DNS Attack

Seventy-six percent of organisations in the U.S. and U.K. have suffered a Domain Name System (DNS) attack, with 49% experiencing one in the past 12 months. The .....Read More


Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication