Abstract
The protocol by which “contactless” (NFC) credit cards operate is insecure. Previous work has done much to protect this protocol from malicious third parties, e.g. eavesdroppers, credit card skimmers, etc. However, most of these defenses rely on the retailers being honest, and on their Points of Sale following the credit card protocol faithfully. In this paper, we extend the threat model to include malicious retailers, and remove any restrictions on the operation of their Points of Sale. In particular, we identify two classes of attacks which may be executed by a malicious retailer: Over-charge attacks exploiting victim customers, and Transparent Bridge attacks exploiting victim retailers. We then extend the protocol from previous work in order to defend against these attacks, protecting cardholders and honest retailers from malicious retailers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
BlackwingHQ: Nfcproxy (2012). http://sourceforge.net/projects/nfcproxy/
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Drimer, S., Murdoch, S.J.: Keep your enemies close: distance bounding against smartcard relay attacks. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS 2007, pp. 7:1–7:16. USENIX Association, Berkeley (2007). http://dl.acm.org/citation.cfm?id=1362903.1362910
Harris, E., Perlroth, N., Popper, N.: Neiman marcus data breach worse than first said. http://www.nytimes.com/2014/01/24/business/neiman-marcus-breach-affected-1-1-million-cards.html. Accessed 10 Nov 2014
Eun, H., Lee, H., Oh, H.: Conditional privacy preserving security protocol for NFC applications. IEEE Trans. Consum. Electron. 59(1), 153–160 (2013)
Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical NFC peer-to-peer relay attack using mobile phones. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 35–49. Springer, Heidelberg (2010)
Haselsteiner, E., Breitfuß, K.: Security in near field communication (NFC). In: Workshop on RFID Security, pp. 12–14 (2006)
Jensen, O., Gouda, M., Qiu, L.: A secure credit card protocol over NFC. In: Chan, M.C., Pandurangan, G. (eds.) International Conference on Distributed Computing and Networking. ACM, January 2016
Kennedy, C.: Millions of card numbers likely stolen during supervalu data breach, security expert says. http://www.bizjournals.com/twincities/news/2014/08/18/supervalu-millions-card-numbers-likely-stolen.html?page=all. Accessed 10 Nov 2014
Kortvedt, H.S.: Securing near field communication. Master’s thesis, Norwegian University of Science and Technology, Norway (2009)
Krebs, B.: P.F. Changs breach likely began in Sept. 2013. http://krebsonsecurity.com/2014/06/p-f-changs-breach-likely-began-in-sept-2013/. Accessed 10 Nov 2014
Lee, E.: NFC hacking: the easy way. In: Defcon Hacking Conference, vol. 20 (2012)
Madlmayr, G., Langer, J., Kantner, C., Scharinger, J.: NFC devices: security and privacy. In: Third International Conference on Availability, Reliability and Security, 2008. ARES 2008, pp. 642–647. IEEE (2008)
Sidel, R., Yadron, D., Germano, S.: Target hit by credit-card breach. http://online.wsj.com/articles/SB10001424052702304773104579266743230242538. Accessed 10 Nov 2014
Sidel, R.: Home depot’s 56 million card breach bigger than target’s. http://online.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571. Accessed 10 Nov 2014
Acknowledgments
Research of Mohamed Gouda is supported in part by the NSF award #1440035.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Jensen, O., O’Meara, T., Gouda, M. (2016). Securing NFC Credit Card Payments Against Malicious Retailers. In: Abdulla, P., Delporte-Gallet, C. (eds) Networked Systems. NETYS 2016. Lecture Notes in Computer Science(), vol 9944. Springer, Cham. https://doi.org/10.1007/978-3-319-46140-3_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-46140-3_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46139-7
Online ISBN: 978-3-319-46140-3
eBook Packages: Computer ScienceComputer Science (R0)