Abstract
Existing bank-card payment systems, such as EMV, have two serious vulnerabilities: the user does not have a trustworthy interface, and the protocols are vulnerable in a number of ways to man-in-the-middle attacks. Moving to RFID payments may, on the one hand, let bank customers use their mobile phones to make payments, which will go a fair way towards fixing the interface problem; on the other hand, protocol vulnerabilities may become worse. By 2011 the NFC vendors hope there will be 500,000,000 NFC-enabled mobile phones in the world. If these devices can act as cards or terminals, can be programmed by their users, and can communicate with each other, then they will provide a platform for deploying all manner of protocol attacks. Designing the security protocols to mitigate such attacks may be difficult. First, it will include most of the hot topics of IT policy over the last ten years (from key escrow through DRM to platform trust and accessory control) as subproblems. Second, the incentives may lead the many players to try to dump the liability on each other, leading to overall system security that is equivalent to the weakest link rather than to sum-of-efforts and is thus suboptimal.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-77366-5_37
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R.J., Rivest, R.:“Phish and Chips”. In: Security Protocols Workshop (March 2006), http://www.ross-anderson.com
Anderson, R.J.: “Why Cryptosystems Fail”. Communications of the ACM 37(11), 32–40 (1994)
Anderson, R.J.: Security Engineering – A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)
Anderson, R.J.: Why Information Security is Hard – An Economic Perspective. In: Proceedings of the Seventeenth Computer Security Applications Conference, pp. 358–365. IEEE Computer Society Press, Los Alamitos (2001), http://www.cl.cam.ac.uk/ftp/users/rja14/econ.pdf
Anderson, R.J., Bond, M.: The Man-in-the-Middle Defence. In: Security Protocols Workshop (March 2006), http://www.ross-anderson.com
Baard, M.: Will new RFID technology help or hinder security? (April 27, 2005), http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1083417,00.html
Heydt-Benjamin, T.S., Bailey, D.V., Fu, K., Juels, A., O’Hare, T.: Vulnerabilities in First-Generation RFID-enabled Credit Cards. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 2–14. Springer, Heidelberg (2007)
Jayawardhana, W.: Tamil Tigers suspected of scamming millions in Britain, http://lankapage.wordpress.com/2007/01/17/
Murdoch, S.J.: Chip & PIN relay attacks (February 6, 2007), http://www.lightbluetouchpaper.org/
Near Field Communication and the NFC Forum: The Keys to Truly Interoperable Communications (2006), www.nfc-forum.org
Clonavano carte con il bluetooth Scoperta nuova truffa telematica. In: la Repubblica (September 4, 2006), http://www.repubblica.it/2006/09/sezioni/cronaca/truffa-blue/truffa-blue/truffa-blue.html
Shoesmith, K.: Garage Scam funded Terror Group, Hull Daily Mail, p. 1, (January 16, 2007), http://www.srilanka-botschaft.de/NEWSupdates_neu/Press_Releases/Press_Pol_Government_Statement_070119bE.htm
Varian, H.: System Reliability and Free Riding, http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/econws/49.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Anderson, R. (2007). Position Statement in RFID S&P Panel: RFID and the Middleman. In: Dietrich, S., Dhamija, R. (eds) Financial Cryptography and Data Security. FC 2007. Lecture Notes in Computer Science, vol 4886. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77366-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-540-77366-5_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77365-8
Online ISBN: 978-3-540-77366-5
eBook Packages: Computer ScienceComputer Science (R0)