The title is pretty self explanatory. The market is pretty secretive about these kinds of matter since companies won't give out vulnerabilities for attackers to abuse and will give out vulnerabilities that are solved and attackers would think the same way, but maybe an unsolved attack was leaked somewhere and I'm interested to find out about it.
Asked
Active
Viewed 667 times
1 Answers
3
The NFC relay attack is still unresolved. Most of the attacks discovered against contactless payments work on top of the relay attack. The identified security issues result from flawed implementation of the standard. Others stem from failure of the issuer and the terminal to validate EMV transactions which is highly flexible in terms of card authentication modes, cardholder verification methods, and online/offline authorizations.
[1] The most recent vulnerability is found to be in VISA contactless payment in which the attacker modifies the unauthenticated conversation between the card and terminal to bypass PIN verification. It executes relay attack using 2 NFC enabled smartphones. One modifies specific bits in transit and another relays it to the terminal by pretending to be a tokenization app (like Google Pay and Apple Pay). Both smartphones are connected over wifi but they can also carry it out from large distance from each other (see [6], optimised relay attack).
In a Visa contactless transaction, the card’s response to the terminal’s GET PROCESSING OPTIONS command carries the Card Transaction Qualifiers (CTQ) whose integrity is not protected. The CTQ is a 2-byte data field that instructs the terminal which Cardholder Verification Method (CVM) is to be used.
The smartphone exploits this and implements a man-in-the-middle attack that:
Clears the 8th bit of CTQ’s first byte, which tells the terminal that online PIN verification is not required.
Sets the 8th bit of CTQ’s second byte, which tells the terminal that the CDCVM (Consumer Device Cardholder Verification Method) was performed.
[2] Last year in Blackhat Europe 2019, First Contact - Vulnerabilities in Contactless Payments presented another man-in-the-middle attack that also bypasses Visa’s PIN verification with very similar exploitation.
In the TTQ sent to the card, the CVM required field (byte 2, bit 7) is changed from
1to0. This field indicates whether to require additional cardholder verification for the transaction.In the response from the card to the terminal CTQ, CDCVM performed (byte 2, bit 8) is changed from
0to1. This tells the terminal that cardholder verification has already been performed on the device.
TTQ is a terminal-sourced data field passed onto the card within the payload of the GET PROCESSING OPTIONS command..
This attack is carried out with 2 microcontrollers performing relay attack. [1] can be assumed to be its optimisation and more scalability.
Neither of them works on MasterCard because the card’s support for the CDCVM in MasterCard is defined by the 2nd bit of AIP’s first byte and AIP is sent with authorization request to the issuer as shown in Book 4, 12.1.1, .Authorization Request, Table9. Physical cards have this bit cleared. Setting this bit for contactless cards will result in a declined transaction.
Terminal has higher floor limit for mobile wallet (£5500) than for contactless card (£30) above which the terminal requests online PIN verification regardless of CDCVM. As both [1] & [2] pretend to be a transaction coming from tokenization app, £5500 is the maximum payment they can make without triggering online PIN verification.
Pre-play Attack
[3] In BlackHat 2015, Crash & Pay: How To Own And Clone Contactless Payment Devices shows how legacy contactless Magstripe mode can be used to trick MasterCard and VISA card to generate cryptograms which can be stored unused by the attacker. The nonce that is used in this mode is 2 digits which takes 0.25 minutes to store 100 unused cryptograms for all 2 digit nonce. For 4 decimal places, it takes 25 minutes to store 10,000 unused cryptograms. Then the attacker generates a fraudulent Magstripe mode contactless card to spend these cryptograms.
With generation of cryptogram, Application Transaction Counter (ATC) of the card is also incremented and is integrity protected by the cryptogram. The jump in ATC instead of next incremented value at the time of using stored cryptograms can decline the transaction but the issuers don't detect this jump.
[4] In USENIX 2013, Cloning Credit Cards: A Combined Pre-play and Downgrade Attack on EMV Contactless shows the same exploit on MasterCard. [3] extends this attack to MasterCard as well as VISA.
Pre-play attack on Google Pay
[5] Hack In Paris - Talk 16 - NFC Payments The Art of Relay & Replay Attacks by Salvador Mendoza shows pre-play attack on Host Card Emulation (HCE) backed Google Pay. HCE produces token to request transaction authorization from the issuer. These tokens can be stored unused by the attacker as shown in [3]. Google says it's an intended behavior for HCE based contactless payments.
It doesn't work on modern smartphones with Secure Element (SE) because SE implements EMV like transaction over NFC.
Optimised relay attack
[6] In Blackhat 2016, Relaying EMV Contactless Transactions Using Off-The-Self Android Device shows an optimised relay attack with transaction completion time equal to that of actual contactless payment. This allows relays to carry out the attack over large distance without being identified as suspicious.
[7] Guessing PIN code of smartcard using brute force and offline reader
The specifications for contactless transactions specifically exclude the use of offline PIN verification (full details in Book A, section 5.9.3). Many of the contactless cards were/are in circulation in the UK allow access to offline PIN verification with PIN Try Counter resets each time the payment card is used in a Point of Sale terminal or ATM. This way attacker can have unlimited attempts to guess a card’s PIN.
How many have been fixed?
There's no effective countermeasure against relay attacks. The recommended completion time is 500ms but there's no hard limit on the maximum completion time above which the transaction should be either timed out or declined. 24C3: Relay attacks on card payment: vulnerabilities and defences (24:12) talks about Distance Bounding Protocol to combat relays. Distance bounding is in the EMV Contactless specification and Mastercard has taken up this defence, meaning its cards (at least) are protected.
Magstripe contactless payments are already being deprecated by issuers. In countries where contactless payment is recently mandated, legacy contactless Magstripe mode does not even exist in cards. Issuers are too secretive about their detection methods to combat fraudulent transactions which is often the time where flaws exist due to their out of specs implementation and logically flawed verification.
defalt
- 6,231
- 2
- 22
- 37