relay attacks in emv contactless cards with android ots
play

Relay Attacks in EMV Contactless Cards with Android OTS Devices e - PowerPoint PPT Presentation

May 31, 2023 •650 likes •1.23k views

Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr guez Jos pvtolkien@gmail.com, rj.rodriguez@unileon.es All wrongs reversed Computer Science and Research Institute of Systems

  1. Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila † , Ricardo J. Rodr´ ıguez ‡ Jos´ pvtolkien@gmail.com, rj.rodriguez@unileon.es � All wrongs reversed † Computer Science and † Research Institute of Systems Engineering Dept. Applied Sciences in Cybersecurity University of Zaragoza, Spain University of Le´ on, Spain May 28, 2015 Hack in the Box 2015 Amsterdam (Nederland)

  2. About us Pepe Vila Dr. Ricardo J. Rodr´ ıguez Security Consultant at E&Y Senior Security Researcher at ULE tw: @cgvwzq tw: @RicardoJRodriguez http://vwzq.net http://www.ricardojrodriguez.es Main research interests Main research interests < /JavaXSScript > and Security/safety modelling and client-side attacks analysis of ICS NFC security Advanced malware analysis Android internals NFC security J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 2 / 36

  3. Agenda Introduction 1 Background 2 EMV Contactless Cards Relay Attacks and Mafia Frauds Android and NFC: A Tale of L � ve 3 Evolution of NFC Support in Android Practical Implementation Alternatives in Android Relay Attack Implementation 4 Demo experiment Threat Scenarios Resistant Mechanisms Related Work 5 Conclusions 6 J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 3 / 36

  4. Agenda Introduction 1 Background 2 EMV Contactless Cards Relay Attacks and Mafia Frauds Android and NFC: A Tale of L � ve 3 Evolution of NFC Support in Android Practical Implementation Alternatives in Android Relay Attack Implementation 4 Demo experiment Threat Scenarios Resistant Mechanisms Related Work 5 Conclusions 6 J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 4 / 36

  5. Introduction to NFC (I) What is NFC? Bidirectional short-range contactless communication technology Up to 10 cm Based on RFID standards, works in the 13 . 56 MHz spectrum Data transfer rates vary: 106 , 216 , and 424 kbps J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 5 / 36

  6. Introduction to NFC (I) What is NFC? Bidirectional short-range contactless communication technology Up to 10 cm Based on RFID standards, works in the 13 . 56 MHz spectrum Data transfer rates vary: 106 , 216 , and 424 kbps Security based on proximity concern: physical constraints J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 5 / 36

  7. Introduction to NFC (II) Wow! NFC sounds pretty hipster! Two main elements: Proximity Coupling Device (PCD, also NFC-capable device) Proximity Integrated Circuit Cards (PICC, also NFC tags) Three operation modes: Peer to peer: direct communication between parties Read/write: communication with a NFC tag Card-emulation: an NFC device behaves as a tag J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 6 / 36

  8. Introduction to NFC (III) ISO/IEC 14443 standard Four-part international standard for contactless smartcards Size, physical characteristics, etc. 1 RF power and signalling schemes 2 (Type A & B) Half-duplex, 106 kbps rate Initialization + anticollision protocol 3 Data transmission protocol 4 IsoDep cards: compliant with the four parts Example: contactless payment cards J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 7 / 36

  9. Introduction to NFC (IV) ISO/IEC 7816 Fifteen-part international standard related to contacted integrated circuit cards, especially smartcards Application Protocol Data Units (APDUs) J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 8 / 36

  10. Introduction to NFC (V) [Taken from 13.56 MHz RFID Proximity Antennas ( http://www.nxp.com/documents/application_note/AN78010.pdf )] J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 9 / 36

  11. Introduction to NFC (V) [Taken from 13.56 MHz RFID Proximity Antennas ( http://www.nxp.com/documents/application_note/AN78010.pdf )] J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 9 / 36

  12. Introduction to NFC (VI) J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 10 / 36

  13. Introduction to NFC (VII) Ok. . . So, is it secure, right? Right?? J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 11 / 36

  14. Introduction to NFC (VII) Ok. . . So, is it secure, right? Right?? If it were *so* secure, you would not be staring at us ¨ ⌣ J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 11 / 36

  15. Introduction to NFC (VII) Ok. . . So, is it secure, right? Right?? If it were *so* secure, you would not be staring at us ¨ ⌣ NFC security threats Eavesdropping Secure communication as solution Data modification (i.e., alteration, insertion, or destruction) Feasible in theory (but requires quite advanced RF knowledge) Relays Forwarding of wireless communication Two types: passive (just forwards), or active (forwards and alters the data) J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 11 / 36

  16. Introduction to NFC (VII) Ok. . . So, is it secure, right? Right?? If it were *so* secure, you would not be staring at us ¨ ⌣ NFC security threats Eavesdropping Secure communication as solution Data modification (i.e., alteration, insertion, or destruction) Feasible in theory (but requires quite advanced RF knowledge) Relays Forwarding of wireless communication Two types: passive (just forwards), or active (forwards and alters the data) We focus on passive relay attacks J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 11 / 36

  17. Introduction to NFC (VIII) NFC brings “cards” to mobile devices Payment sector is quite interested in this new way for making payments 500M NFC payment users expected by 2019 Almost 300 smart phones available at the moment with NFC capabilities Check http: //www.nfcworld.com/nfc-phones-list/ Most of them runs Android OS J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 12 / 36

  18. Introduction to NFC (VIII) NFC brings “cards” to mobile devices Payment sector is quite interested in this new way for making payments 500M NFC payment users expected by 2019 Almost 300 smart phones available at the moment with NFC capabilities Check http: //www.nfcworld.com/nfc-phones-list/ Most of them runs Android OS Research Hypothesis Can a passive relay attack be performed in contactless payment cards, using an Android NFC-capable device? If so, what are the constraints? (whether any exists) J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 12 / 36

  19. Agenda Introduction 1 Background 2 EMV Contactless Cards Relay Attacks and Mafia Frauds Android and NFC: A Tale of L � ve 3 Evolution of NFC Support in Android Practical Implementation Alternatives in Android Relay Attack Implementation 4 Demo experiment Threat Scenarios Resistant Mechanisms Related Work 5 Conclusions 6 J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 13 / 36

  20. Background (I) EMV contactless cards Europay, Mastercard, and VISA standard for inter-operation of IC cards, Point-of-Sale terminals and automated teller machines Authenticating credit and debit card transactions Commands defined in ISO/IEC 7816-3 and ISO/IEC 7816-4 ( http://en.wikipedia.org/wiki/EMV ) Application ID (AID) command J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 14 / 36

  21. Background (II) MasterCard PayPass, VISA payWave, and AmericanExpress ExpressPay Are they secure? J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 15 / 36

  22. Background (II) MasterCard PayPass, VISA payWave, and AmericanExpress ExpressPay Are they secure? Amount limit on a single transaction Up to £20 GBP , 20 € , US$50, 50CHF , CAD$100, or AUD$100 J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 15 / 36

  23. Background (II) MasterCard PayPass, VISA payWave, and AmericanExpress ExpressPay Are they secure? Amount limit on a single transaction Up to £20 GBP , 20 € , US$50, 50CHF , CAD$100, or AUD$100 *cof, cof* ( http://www.bankinfosecurity.com/android-attack-exploits-visa-emv-flaw-a-7516/op-1 ) J. Vila, R. J. Rodr´ ıguez Relay Attacks in EMV Contactless Cardswith Android OTS Devices HITB’15 AMS 15 / 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom

CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom

CONTACTLESS PAYMENTS Joeri de Ruiter University of Birmingham (some slides borrowed from Tom Chothia) Overview EMV Protocol Attacks EMV-Contactless Protocols Attacks Demo Stopping relay attacks What is

863 views • 60 slides
Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions Dr. Ricardo J. Rodr guez

Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions Dr. Ricardo J. Rodr guez

Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions Dr. Ricardo J. Rodr guez All wrongs reversed rjrodriguez@unizar.es @RicardoJRdez www.ricardojrodriguez.es Department of Computer Science and Systems Engineering

1.83k views • 137 slides
Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila ,

Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila ,

Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila , Ricardo J. Rodr guez Jos 594190@unizar.es, rj.rodriguez@unileon.es All wrongs reversed University of Zaragoza, Spain RIASC,

1.03k views • 53 slides
Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila 1 and Ricardo J. Rodr Jos guez 2 1 DIIS, University of Zaragoza, Spain 2 Research Institute of Applied Sciences in Cybersecurity, University

337 views • 17 slides
paying for e -Commerce would be as easy, secure and inexpensive as using contactless cards at

paying for e -Commerce would be as easy, secure and inexpensive as using contactless cards at

What if paying for e -Commerce would be as easy, secure and inexpensive as using contactless cards at point of sale? Presentation for CeBIH Risto Savolainen Founder CEO, iAxept Ltd THE PROBLEM: CARD NOT PRESENT E -COMMERCE PAYMENTS

682 views • 18 slides
NFC Payments: The Art of Relay &amp; Replay Attacks Who are we? Troopers 2018? NFC

NFC Payments: The Art of Relay &amp; Replay Attacks Who are we? Troopers 2018? NFC

NFC Payments: The Art of Relay &amp; Replay Attacks Who are we? Troopers 2018? NFC Replay/Relay @Netxing @L_AGalloway Content Terminology Replay Attack Intro to NFC Relay Attack EMV Flow Process Extracting

1.09k views • 65 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
On Relaying NFC Payment Transactions using Android devices Pepe Vila Ricardo J. Rodrguez

On Relaying NFC Payment Transactions using Android devices Pepe Vila Ricardo J. Rodrguez

On Relaying NFC Payment Transactions using Android devices Pepe Vila Ricardo J. Rodrguez other title candidates Holystic relay attacks on NFC cyber- payments with Android mobile cloud phones ENE-FE-S relai con droides movibles

714 views • 45 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Countermeasures and Evolved Frauds

633 views • 40 slides
NFC Payment Spy: A Privacy Attack on Contactless Payments Maryam Mehrnezhad , Mohammed Ali, Feng

NFC Payment Spy: A Privacy Attack on Contactless Payments Maryam Mehrnezhad , Mohammed Ali, Feng

NFC Payment Spy: A Privacy Attack on Contactless Payments Maryam Mehrnezhad , Mohammed Ali, Feng Hao, Aad van Moorsel Newcastle University, UK SSR, 5 Dec 2016 Contactless Payment Contactless Cards (theukcardsassociation.org.uk) In the

255 views • 21 slides
Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann

Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann

Password Authenticated Key Agreement for Contactless Smart Cards Dennis Kgler 1 , Heike Neumann 2 , Sebastian Stappert 2 , Markus Ullmann 1 , Matthias Vgeler 2 1 Bundesamt fr Sicherheit in der Informationstechnik 2 NXP Semiconductors Outline

174 views • 16 slides
Intellectual Property and Contactless Card Innovations ICMA North American Workshop

Intellectual Property and Contactless Card Innovations ICMA North American Workshop

Intellectual Property and Contactless Card Innovations ICMA North American Workshop September 30 - October 1, 2014 THE HOSPITALITY MARKET OVERVIEW 14.5 M hotel rooms &gt;750 M key cards/year issued with 100 M contactless

416 views • 19 slides
Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2014 distance-bounding SDTA 14 1 / 42 Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols

1.02k views • 42 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Distance Bounding Protocols Conclusion

666 views • 53 slides
Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain, Belgium Workshop on Cryptography for the Internet of Things November 20 21, 2012, Antwerp, Belgium SUMMARY Relay Attacks Distance Bounding

349 views • 21 slides
NFC Payments: The Art of Relay &amp; Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay &amp; Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay &amp; Replay Attacks Who am I? Security Researcher Samsung Pay Exploiting Mag-stripe info with Bluetooth audio Co-founder of Women in Tech Fund @Netxing (WomenInTechFund.org) Content

1.07k views • 73 slides
A virtual private network (VPN) allows the provisioning of private network services for an

A virtual private network (VPN) allows the provisioning of private network services for an

537 views • 30 slides
A New So(ware Architecture for Core Internet Routers Robert Broberg September 16, 2011

A New So(ware Architecture for Core Internet Routers Robert Broberg September 16, 2011

A New So(ware Architecture for Core Internet Routers Robert Broberg September 16, 2011 Disclaimers and Credits This is research and no product plans are implied by any of this work. r3.cis.upenn.edu Early and conInued support from

619 views • 31 slides
Why Are We Here? The combination of ownership diversity and technology diversity is

Why Are We Here? The combination of ownership diversity and technology diversity is

GIBSON: Global IP-Based Service-Oriented Network Ping Pan, Tom Nolle S eptember 2006, Oslo Meeting Why Are We Here? The combination of ownership diversity and technology diversity is reflected in a more complex set of management

711 views • 14 slides
Switching and bridging CSCI 466: Networks Keith Vertanen

Switching and bridging CSCI 466: Networks Keith Vertanen

Switching and bridging CSCI 466: Networks Keith Vertanen Fall 2011 Overview Last chapter: Crea7ng networks from:

475 views • 35 slides
Overview/Questions Review: formatting HTML pages Frames Style Sheets 2 1 HTML Frames

Overview/Questions Review: formatting HTML pages Frames Style Sheets 2 1 HTML Frames

CS101 Lecture 18: Advanced HTML: Frames and CSS John Magee Examples from www.w3.org 18 July 2013 1 Overview/Questions Review: formatting HTML pages Frames Style Sheets 2 1 HTML Frames Frames segment the formatted output into

345 views • 7 slides
What is a Process? Answer 1: a process is an abstraction of a program in execution Answer 2: a

What is a Process? Answer 1: a process is an abstraction of a program in execution Answer 2: a

Processes and the Kernel 1 What is a Process? Answer 1: a process is an abstraction of a program in execution Answer 2: a process consists of an address space , which represents the memory that holds the programs code and data a thread

661 views • 36 slides
Address Translation Chapter 8 OSPP Part I: Basics Important? Process isolation IPC

Address Translation Chapter 8 OSPP Part I: Basics Important? Process isolation IPC

Address Translation Chapter 8 OSPP Part I: Basics Important? Process isolation IPC Shared code Program initialization Efficient dynamic memory allocation Cache management Debugging All problems in computer

1.53k views • 105 slides
FrameNet translation using bilingual dictionaries with evaluation on the English-French pair

FrameNet translation using bilingual dictionaries with evaluation on the English-French pair

LREC 19-21 march 2010 Valletta, Malta FrameNet translation using bilingual dictionaries with evaluation on the English-French pair Claire.Mouton@gmail.com Gael.de-Chalendar@cea.fr Benoit.Richert@student.ecp.fr Agenda

840 views • 24 slides

More recommend