hacking the nfc credit cards for fun and debit
play

Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz - PowerPoint PPT Presentation

Jan 30, 2024 •159 likes •498 views

Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz BT renaud.lifchitz@bt.com DeepSec 2012 November 27-30 Vienna, Austria Speaker's bio French computer security engineer working at BT France Main activities:

  1. Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz – BT renaud.lifchitz@bt.com DeepSec 2012 – November 27-30 – Vienna, Austria

  2. Speaker's bio ● French computer security engineer working at BT France ● Main activities: – Penetration testing & security audits – Security trainings – Security research ● Main interests: – Security of protocols (authentication, cryptography, information leakage, zero-knowledge proofs...) – Number theory (integer factorization, primality testing, elliptic curves...) “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 2 DeepSec 2012 – November 27-30 – Vienna, Austria

  3. What is contactless payment? ● Everyday payment with no need for card insertion nor card PIN code ● Main systems: VISA payWave & MasterCard PayPass ● Small payments (for instance 4 times 20€ in a row) ● 6 millions NFC-enabled credit cards in France (10%) ● >> 10 millions NFC-enabled credit cards in the U.S. “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 3 DeepSec 2012 – November 27-30 – Vienna, Austria

  4. How to recognize an NFC-enabled credit card? ● Small wave logo printed on the card: “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 4 DeepSec 2012 – November 27-30 – Vienna, Austria

  5. Contactless payment goals ● Achieve faster/simpler/easier payments ● Make people buy more (MasterCard Canada has seen “about 25 percent” higher spending by its PayPass users) ● Interoperable systems “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 5 DeepSec 2012 – November 27-30 – Vienna, Austria

  6. Credit card standards ● Data storage and security: EMV standards (Europay MasterCard and VISA) ● Protocol commands and cards storage layout: ISO 7816 standards “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 6 DeepSec 2012 – November 27-30 – Vienna, Austria

  7. EMV ● Card memory: a real filesystem with a root directory (MF), folders (DF) and files (EF) identified by 2 bytes, according to ISO 7816-4 ● Data encoding: BER TLV (very near from ASN.1) → online decoder: http://www.emvlab.org/tlvutils/ “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 7 DeepSec 2012 – November 27-30 – Vienna, Austria

  8. ISO 7816-4 Requests - simplified command sets: ● Class (1 byte) – Instruction (1 byte) – Parameter 1 & 2 (1 byte each) – Length of data (1 byte) – Data field – Length of expected response (1 byte) – Answers: ● Data field – SW1 & SW2 error codes (1 byte each) – “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 8 DeepSec 2012 – November 27-30 – Vienna, Austria

  9. The idea French Navigo contactless transportation cards also ● use ISO 7816 encapsulation over RFID but: – No personal data on card (card ID ≠ cardholder ID) – Use good encryption – Use good authentication – Use digital signature RFID passports: ● – Use encryption – Use a combined reading to avoid rogue access (optical+RFID) → RFID credit cards (= money) should be as secure as those two, shouldn't them? NO, BECAUSE THERE IS SIMPLY NO AUTHENTICATION NOR ENCRYPTION!!! “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 9 DeepSec 2012 – November 27-30 – Vienna, Austria

  10. NFC ● Different names for nearly the same thing: RFID/NFC/Cityzi ● HF (13,56 Mhz) & LF (125-134 kHz) usages ● Most common HF protocol: ISO 14443 (ISO 14443-1 to ISO 14443-4) ● Can be used for tunneling/encapsulation “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 10 DeepSec 2012 – November 27-30 – Vienna, Austria

  11. NFC readers ● USB readers: – SCM SCL3711 (40€ dongle) – ACS ACR120U/ACR122U (flat) ● Phones: – Samsung Nexus S, Samsung Nexus Galaxy – BlackBerry Bold 9900/9930, BlackBerry Curve 9350/9360/9370 – Nokia N9/C7/603 “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 11 DeepSec 2012 – November 27-30 – Vienna, Austria

  12. Tools ● ISO 7816 (contact) prototyping: scriptor ● NFC (contactless) prototyping: libnfc pn53x-tamashell ● Final coding: libnfc (EOF, SOF and CRC are automagically handled) “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 12 DeepSec 2012 – November 27-30 – Vienna, Austria

  13. Remotely available data ● Everything from EMV standards like with a contact interface? ● Confirmed: – Cardholder: gender, first name and last name – PAN (Primary Account Number) – Expiry date – Magnetic stripe data – Transaction history ● Probably: general card information (issuer, public keys, …) ● But no CVV! (just a one-time-CVV functionality) “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 13 DeepSec 2012 – November 27-30 – Vienna, Austria

  14. Possible attacks ● Read victim's card data and use it on e- commerce websites: CVV is not always mandatory and CVV can be bruteforced (only 1000 possibilities...) ● Remote card DoS? (send 3 times a bad PIN code) ● Create a magnetic stripe dump remotely (card clone will be useful where chip card/PIN is not mandatory: most EU countries, USA, …) ● User identification and tracking (terrorism...) “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 14 DeepSec 2012 – November 27-30 – Vienna, Austria

  15. Typical libnfc attack sequence ● 1) Initiator List Passive Targets (wake up card!): – 4A 01 00 ● 2) Select banking application (AID): – 40 01 00 A4 04 00 07 A0 00 00 00 42 10 10 00 ● 3) Read specific EMV record: – 40 01 00 B2 02 0C 00 00 libnfc prefix/suffix opcode ISO-7816 command EMV specific “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 15 DeepSec 2012 – November 27-30 – Vienna, Austria

  16. AID selection ● Some well known AIDs: – Visa debit/credit: A0 00 00 00 03 10 10 – MasterCard credit: A0 00 00 00 04 10 10 – American Express: A0 00 00 00 25 00 00 – CB: A0 00 00 00 42 10 10 ● Be careful: EF ids can vary accordingly! “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 16 DeepSec 2012 – November 27-30 – Vienna, Austria

  17. Proof of Concept “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 17 DeepSec 2012 – November 27-30 – Vienna, Austria

  18. Proof of Concept – desktop computer “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 18 DeepSec 2012 – November 27-30 – Vienna, Austria

  19. Proof of Concept – Android smartphone “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 19 DeepSec 2012 – November 27-30 – Vienna, Austria

  20. Attack limitations ● Main limitation is the distance ● ISO 14443 standards state: – Active read up to 3 to 5cm in practice ● But tweaking the devices: – Active read up to 1.5m (50x better!) using a dedicated amplifier (2000€) and antenna (1000€). Everything fits into a backpack... – Passive sniffing up to 15m (500x better!) using a radio receiver (e.g. USRP) with a standard telescopic antenna ● Remember: in August 2004, hackers succeeded in extending a Bluetooth dongle range from 10m to 1,7km! (http://trifinite.org/trifinite_stuff_lds.html) “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 20 DeepSec 2012 – November 27-30 – Vienna, Austria

  21. Passive sniffing Reader probes, communication with the credit card, and then probes again “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 21 DeepSec 2012 – November 27-30 – Vienna, Austria

  22. How to protect? OR “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 22 DeepSec 2012 – November 27-30 – Vienna, Austria

  23. How should security be? ● Contactless accesses should be authenticated to avoid rogue readers ● Contactless protocol should be encrypted to avoid eavesdropping ● Session integrity should be ensured (e.g. HMAC) to avoid injection This already exists!!! (for example French Navigo transportation card) Conclusion : EMV is poorly designed for NFC and needs a complete rewrite!... “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 23 DeepSec 2012 – November 27-30 – Vienna, Austria

  24. Regulatory compliance ● 2 major regulatory issues due to this lack of security: – PCI DSS compliance – Personal data protection “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 24 DeepSec 2012 – November 27-30 – Vienna, Austria

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CARDS BROUGHT TO YOU BY Every payment type has pros and cons. When and how you use each type can

CARDS BROUGHT TO YOU BY Every payment type has pros and cons. When and how you use each type can

Comparing CARDS BROUGHT TO YOU BY Every payment type has pros and cons. When and how you use each type can make a huge impact on your personal fjnances. Meet YOUR CARDS DEBIT CREDIT PREPAID DEBIT Comparing Debit , Credit and Prepaid Debit

435 views • 17 slides
Petrol slides; Credit card debt still falling Weekly petrol prices; Credit/debit cards Petrol:

Petrol slides; Credit card debt still falling Weekly petrol prices; Credit/debit cards Petrol:

Economics | October 14 2019 Petrol slides; Credit card debt still falling Weekly petrol prices; Credit/debit cards Petrol: According to the Australian Institute of Petroleum, the national average price of unleaded petrol fell by 6.6 cents a

156 views • 3 slides
Chapter 4 Trial Balance and Financial Statements 1 List of account balances and Trial balance $

Chapter 4 Trial Balance and Financial Statements 1 List of account balances and Trial balance $

BMS Chapter 4 Trial Balance and Financial Statements 1 List of account balances and Trial balance $ Debit / Credit Capital 20,000 Credit Cash 1,760 Debit Bank 13,725 Debit Purchases 8,900 Debit JM 2,000 Credit ERD 3,000

419 views • 4 slides
Mariam Badr Bank Accounts Credit Cards Information Applications users Licenses and

Mariam Badr Bank Accounts Credit Cards Information Applications users Licenses and

Ahmed Khaled Hossam Alaa Mariam Badr Bank Accounts Credit Cards Information Applications users Licenses and certificates Identity thefts Systems hacking Illegal transactions Most web and network applications are

416 views • 27 slides
Market Systems Overview: Debit Cards Teacher Accounts Store Manager Wholesale Marketplace

Market Systems Overview: Debit Cards Teacher Accounts Store Manager Wholesale Marketplace

Market Systems Overview: Debit Cards Teacher Accounts Store Manager Wholesale Marketplace POS Presented by: Nick Chapman 584 firms 344,571 transactions $615,937,971.75 total amount 17,387 buy buttons created 109,067

317 views • 18 slides
Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and

Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and

Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and Verifying an Debit and credit operations on a global example: balance. Secured communication and a decimal representation in Java

339 views • 5 slides
Purchasing for Debit Projects The CCS Manual (Section 2.5.3) Pursuant to Nevada

Purchasing for Debit Projects The CCS Manual (Section 2.5.3) Pursuant to Nevada

Phasing in Credit Purchasing for Debit Projects The CCS Manual (Section 2.5.3) Pursuant to Nevada Administrative Code, debit projects permitted through federal and state agencies will use the CCS to purchase credits that fulfill their

125 views • 10 slides
P2P Gift Credit Cards. - It's about creating money

P2P Gift Credit Cards. - It's about creating money

P2P Gift Credit Cards. - It's about creating money democratically through the technology of credit cards. - It's not an alternative currency;

475 views • 30 slides
with Guarantee Valuations (The History and Use of Credit and Debit Value Adjustments) By Gordon

with Guarantee Valuations (The History and Use of Credit and Debit Value Adjustments) By Gordon

Conforming CVA & DVA Calculations with Guarantee Valuations (The History and Use of Credit and Debit Value Adjustments) By Gordon Goodman USAEE Workshop, Houston, TX Global Energy Risk Management: Identifying and Turning Risk into a

248 views • 21 slides
Opportunities in Online & Mobile Payments for Startups Population CELLPHONE SUBSCRIBERS

Opportunities in Online & Mobile Payments for Startups Population CELLPHONE SUBSCRIBERS

Opportunities in Online & Mobile Payments for Startups Population CELLPHONE SUBSCRIBERS bank accounts (?) mobile wallets debit cards CREDIT cards 3G/4G USERS INTERNET USERS POINT OF SALE TERMINALS remittances MOBILE AGENTS

1.07k views • 72 slides
TRANServe Debit Card Overview 1 What is the TRANServe Debit Card? The TRANServe debit card

TRANServe Debit Card Overview 1 What is the TRANServe Debit Card? The TRANServe debit card

TRANServe Debit Card Overview 1 What is the TRANServe Debit Card? The TRANServe debit card is a Visa-branded debit card that provides your transit benefit electronically. TRANServes Counsel has been working closely with Counsel from

476 views • 14 slides
Online Giving National Capital Presbytery March 23, 2020 What Is Online Giving?

Online Giving National Capital Presbytery March 23, 2020 What Is Online Giving?

Online Giving National Capital Presbytery March 23, 2020 What Is Online Giving? Description: Accepting credit cards, debit cards and ACH (electronic checks) through your website. Online Giving It is expected Easy and fast for

611 views • 17 slides
Welcome! DP DP Payments Helping businesses ease the pain associated with accepting credit cards

Welcome! DP DP Payments Helping businesses ease the pain associated with accepting credit cards

Welcome! DP DP Payments Helping businesses ease the pain associated with accepting credit cards Patrick Gallagher Who can we help? Any business who accepts, or would like to accept credit cards Retail/Restaurants

399 views • 10 slides
Skimming - theft of credit/debit card information used in an otherwise legitimate transaction.

Skimming - theft of credit/debit card information used in an otherwise legitimate transaction.

Skimming - theft of credit/debit card information used in an otherwise legitimate transaction. Easy to Facilitate Easy to manufacture and purchase over the internet International Problem w/losses over one billion a year Common

602 views • 15 slides
CDBA Peer Forum Financial Inclusion BILL DANA- MAY 26, 2015 Cards are reloadable with minimal

CDBA Peer Forum Financial Inclusion BILL DANA- MAY 26, 2015 Cards are reloadable with minimal

CDBA Peer Forum Financial Inclusion BILL DANA- MAY 26, 2015 Cards are reloadable with minimal fees Point of sale accessible national and international Prepaid Debit Cards cannot be overdrawn Cards for the Track spending, plan

630 views • 7 slides
Hacking the NFC cards for fun and honor degrees Ricardo J. Rodr guez All wrongs reversed

Hacking the NFC cards for fun and honor degrees Ricardo J. Rodr guez All wrongs reversed

Hacking the NFC cards for fun and honor degrees Ricardo J. Rodr guez All wrongs reversed rjrodriguez@fi.upm.es @RicardoJRdez www.ricardojrodriguez.es Universidad Polit ecnica de Madrid Madrid, Spain November 15, 2013

827 views • 79 slides
Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and

Identity Management Hannes Tschofenig Motivation OAuth was created to allow secure and privacy friendly sharing of data. OAuth is not an authentication protocol. Works with any user authentication protocol (e.g., OATH, FIDO, W3C

613 views • 10 slides
Wireless Payment Protocol (WPP) Jeyanthi Hall, Susan Kilbank, Michel Barbeau and Evangelos

Wireless Payment Protocol (WPP) Jeyanthi Hall, Susan Kilbank, Michel Barbeau and Evangelos

Wireless Payment Protocol (WPP) Jeyanthi Hall, Susan Kilbank, Michel Barbeau and Evangelos Kranakis Introduction Problem Electronic credit card and debit card transactions over wireless networks Contribution Wireless Payment

364 views • 8 slides
Offer high-speed Internet access services for a fraction of the cost of other solutions.

Offer high-speed Internet access services for a fraction of the cost of other solutions.

Offer high-speed Internet access services for a fraction of the cost of other solutions. Offer managed network access services to their customers. Make it easy for their user or guest to use Internet services. Eliminate the need for

401 views • 13 slides
Web Services in Industry Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th)

Web Services in Industry Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th)

Web Services in Industry Asst. Prof. Dr. Kanda Runapongsa Saikaew (krunapon@kku.ac.th) Mr.Pongsakorn Poosankam (pongsakorn@gmail.com) 1 Agenda Hotel Online Reservation Payment Gateway Global SMS Cloud Storage Summary 2

961 views • 20 slides
Bitcoin and Nakamoto Consensus Distributed Systems, Spring 2020 Nikita Borisov Topics for Today

Bitcoin and Nakamoto Consensus Distributed Systems, Spring 2020 Nikita Borisov Topics for Today

Bitcoin and Nakamoto Consensus Distributed Systems, Spring 2020 Nikita Borisov Topics for Today Replicated State Machines and Log Consensus Bitcoin Consensus approach Transaction broadcast MP2 overview Announcements

358 views • 31 slides
Consistency Rationing in the Cloud: Pay only when it matters By Sandeepkrishnan

Consistency Rationing in the Cloud: Pay only when it matters By Sandeepkrishnan

Consistency Rationing in the Cloud: Pay only when it matters By Sandeepkrishnan Some of the slides in this presenta4on have been taken from

1.2k views • 42 slides
The Self-Referral Disclosure Title of Webinar/Roundtable Title of Webinar/Roundtable Protocol:

The Self-Referral Disclosure Title of Webinar/Roundtable Title of Webinar/Roundtable Protocol:

The Self-Referral Disclosure Title of Webinar/Roundtable Title of Webinar/Roundtable Protocol: Settlement and Discussion Discussion Enforcement Trends Date | Time Date | Time This webinar is sponsored by This webinar is sponsored by Emily

528 views • 21 slides
Telehealth: Expanding Access to Care Saint Josephs University Unlimited Learning Series

Telehealth: Expanding Access to Care Saint Josephs University Unlimited Learning Series

Telehealth: Expanding Access to Care Saint Josephs University Unlimited Learning Series Seminar Utilizing Expanded Telehealth Offerings Considering COVID-19 Stay Home Many healthcare providers are rapidly expanding technology

749 views • 9 slides

More recommend