Securing NFC Credit Card Payments Against Malicious Retailers

Jensen, Oliver; O’Meara, Tyler; Gouda, Mohamed

doi:10.1007/978-3-319-46140-3_18

Oliver Jensen¹⁵,
Tyler O’Meara¹⁵ &
Mohamed Gouda¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 9944))

Included in the following conference series:

International Conference on Networked Systems

667 Accesses

Abstract

The protocol by which “contactless” (NFC) credit cards operate is insecure. Previous work has done much to protect this protocol from malicious third parties, e.g. eavesdroppers, credit card skimmers, etc. However, most of these defenses rely on the retailers being honest, and on their Points of Sale following the credit card protocol faithfully. In this paper, we extend the threat model to include malicious retailers, and remove any restrictions on the operation of their Points of Sale. In particular, we identify two classes of attacks which may be executed by a malicious retailer: Over-charge attacks exploiting victim customers, and Transparent Bridge attacks exploiting victim retailers. We then extend the protocol from previous work in order to defend against these attacks, protecting cardholders and honest retailers from malicious retailers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

BlackwingHQ: Nfcproxy (2012). http://sourceforge.net/projects/nfcproxy/
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Article MathSciNet MATH Google Scholar
Drimer, S., Murdoch, S.J.: Keep your enemies close: distance bounding against smartcard relay attacks. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS 2007, pp. 7:1–7:16. USENIX Association, Berkeley (2007). http://dl.acm.org/citation.cfm?id=1362903.1362910
Harris, E., Perlroth, N., Popper, N.: Neiman marcus data breach worse than first said. http://www.nytimes.com/2014/01/24/business/neiman-marcus-breach-affected-1-1-million-cards.html. Accessed 10 Nov 2014
Eun, H., Lee, H., Oh, H.: Conditional privacy preserving security protocol for NFC applications. IEEE Trans. Consum. Electron. 59(1), 153–160 (2013)
Article Google Scholar
Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical NFC peer-to-peer relay attack using mobile phones. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 35–49. Springer, Heidelberg (2010)
Chapter Google Scholar
Haselsteiner, E., Breitfuß, K.: Security in near field communication (NFC). In: Workshop on RFID Security, pp. 12–14 (2006)
Google Scholar
Jensen, O., Gouda, M., Qiu, L.: A secure credit card protocol over NFC. In: Chan, M.C., Pandurangan, G. (eds.) International Conference on Distributed Computing and Networking. ACM, January 2016
Google Scholar
Kennedy, C.: Millions of card numbers likely stolen during supervalu data breach, security expert says. http://www.bizjournals.com/twincities/news/2014/08/18/supervalu-millions-card-numbers-likely-stolen.html?page=all. Accessed 10 Nov 2014
Kortvedt, H.S.: Securing near field communication. Master’s thesis, Norwegian University of Science and Technology, Norway (2009)
Google Scholar
Krebs, B.: P.F. Changs breach likely began in Sept. 2013. http://krebsonsecurity.com/2014/06/p-f-changs-breach-likely-began-in-sept-2013/. Accessed 10 Nov 2014
Lee, E.: NFC hacking: the easy way. In: Defcon Hacking Conference, vol. 20 (2012)
Google Scholar
Madlmayr, G., Langer, J., Kantner, C., Scharinger, J.: NFC devices: security and privacy. In: Third International Conference on Availability, Reliability and Security, 2008. ARES 2008, pp. 642–647. IEEE (2008)
Google Scholar
Sidel, R., Yadron, D., Germano, S.: Target hit by credit-card breach. http://online.wsj.com/articles/SB10001424052702304773104579266743230242538. Accessed 10 Nov 2014
Sidel, R.: Home depot’s 56 million card breach bigger than target’s. http://online.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571. Accessed 10 Nov 2014

Download references

Acknowledgments

Research of Mohamed Gouda is supported in part by the NSF award #1440035.

Author information

Authors and Affiliations

University of Texas at Austin, Austin, USA
Oliver Jensen, Tyler O’Meara & Mohamed Gouda

Authors

Oliver Jensen
View author publications
You can also search for this author in PubMed Google Scholar
Tyler O’Meara
View author publications
You can also search for this author in PubMed Google Scholar
Mohamed Gouda
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Oliver Jensen .

Editor information

Editors and Affiliations

Uppsala University , Uppsala, Sweden
Parosh Aziz Abdulla
Université Paris Diderot , Paris, France
Carole Delporte-Gallet

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Jensen, O., O’Meara, T., Gouda, M. (2016). Securing NFC Credit Card Payments Against Malicious Retailers. In: Abdulla, P., Delporte-Gallet, C. (eds) Networked Systems. NETYS 2016. Lecture Notes in Computer Science(), vol 9944. Springer, Cham. https://doi.org/10.1007/978-3-319-46140-3_18

Download citation

DOI: https://doi.org/10.1007/978-3-319-46140-3_18
Published: 15 September 2016
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46139-7
Online ISBN: 978-3-319-46140-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics