Skip to main content
SpringerLink
Log in

Towards more secure EMV purchase transactions

A new security protocol formally analyzed by the Scyther tool

  • Published:
Annals of Telecommunications Aims and scope Submit manuscript

Abstract

EMV is the protocol implemented to secure the communication, between a client’s payment device and a merchant’s payment device, during a contact or an NFC purchase transaction. It represents a set of security messages and rules, exchanged between the different transaction actors, guaranteeing several important security properties, such as authentication, non-repudiation and integrity. Indeed, researchers, in various studies, have analyzed the operation of this protocol in order to verify its safety: unfortunately, they have identified two security vulnerabilities that lead to multiple attacks and dangerous risks threatening both clients and merchants. In this paper, we are firstly interested in presenting a general overview of the EMV protocol and secondly, in proposing a new security solution that enhances the EMV protocol by solving the two dangerous EMV vulnerabilities. We verify the accuracy of our solution by using the Scyther security verification tool.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. EMV (2011) Book 1, Book 2, Book 3, Book 4, Version 4.3. EMVCo

  2. EMV - Level 1 Specifications for Payment Systems (2018) EMV contactless interface specification, version 3.0. EMVCo

  3. De Ruiter J, Poll E (2012) Formal analysis of the emv protocol suite. In: Springer theory of security and applications, pp 113–129

  4. van den Breekel J, Ortiz-Yepes DA, Poll E, de Ruiter J (2016) Emv in a nutshell. Technical Report

  5. EMV Consortium http://www.emvco.com/, last connection (30/12/2019)

  6. VISA https://www.visa.fr/, last connection (30/12/2019)

  7. MasterCard http://www.mastercard.com/fr/particuliers/index.html, lastconnection (30/12/2019)

  8. American Express https://www.americanexpress.com/fr/, last connection (30/12/2019)

  9. Lifchitz R (2012) Hacking the nfc credit cards for fun and debit. In: Hackito Ergo Sum conference

  10. El Madhoun N, Bertin E, Pujolle G (2019) The EMV payment system: is it reliable?. In: The 3rd cyber security in networking international conference (CSNet). IEEE, pp 1–7

  11. Tubb G (2013) Contactless cards: App reveals security risk. https://news.sky.com/story/contactless-cards-app-reveals-security-risk-10443980, last connection (30/11/2019)

  12. Emms MJ (2016) Contactless payments: usability at the cost of security? Ph.D. Thesis, Newcastle University

  13. Al-Ofeishat HA, Mohammad A (2012) Near field communication (nfc). Int J Comput Sci Netw Secur 12(2):93–99

    Google Scholar 

  14. Dierks T (2008) The transport layer security (tls) protocol version 1.2

  15. El Madhoun N, Bertin E (2017) Magic always comes with a price: utility versus security for bank cards. In: The 1st cyber security in networking conference (CSNet). IEEE, pp 1–7

  16. El Madhoun N, Bertin E, Pujolle G (2018) An overview of the EMV protocol and its security vulnerabilities. In: The fourth international conference on mobile and secure services (MobiSecServ). IEEE, pp 1–5

  17. Murdoch SJ, Drimer S, Anderson R, Bond M (2010) Chip and pin is broken. In: IEEE symposium on security and privacy, pp 433–446

  18. Shrikrishna K, Kumar NN, Shyamasundar R (2018) Security analysis of EMV protocol and approaches for strengthening it. In: International conference on distributed computing and internet technology. Springer, Berlin, pp 69–85

  19. Emms M, Arief B, Freitas L, Hannon J, van Moorsel A (2014) Harvesting high value foreign currency transactions from emv contactless credit cards without the pin. In: Proceedings of ACM SIGSAC conference on computer and communications security, pp 716–726

  20. Coulier F, Hoornaert F, Mennes F (2014) Remote authentication and transaction signatures. Google Patents, US Patent 8,667,285

  21. Badra M, Badra RB (2016) A lightweight security protocol for nfc-based mobile payments. Elsevier, Procedia Comput Sci 83:705–711

    Article  Google Scholar 

  22. de Ruiter JEJ (2015) Lessons learned in the analysis of the emv and tls security protocols. Ph.D Thesis, Radboud University

  23. Thammarat C, Kurutach W, Phoomvuthisarn S (2017) A secure lightweight and fair exchange protocol for nfc mobile payment based on limited-use of session keys. In: 17th international symposium on, communications and information technologies (ISCIT). IEEE, Piscataway, pp 1–6

  24. Urien P, Piramuthu S (2013) Framework and authentication protocols for smartphone, nfc, and rfid in retail transactions. In: IEEE international conference on intelligent sensors, sensor networks and information processing, pp 77–82

  25. Ceipidor UB, Medaglia CM, Marino A, Sposato S, Moroni A (2012) Kernees: a protocol for mutual authentication between nfc phones and pos terminals for secure payment transactions. In: International ISC conference on information security and cryptology (ISCISC). IEEE, Piscataway, pp 115–120

  26. Al-Fayoumi M, Nashwan S (2018) Performance analysis of sap-nfc protocol. Int J Commun Netw Inf Secur (IJCNIS) 10(1):125–130

    Google Scholar 

  27. Abughazalah S, Markantonakis K, Mayes K (2014) Secure mobile payment on nfc-enabled mobile phones formally analysed using casperfdr 422–431

  28. Pourghomi P, Ghinea G et al (2013) A proposed nfc payment application. Int J Adv Comput Sci Appl 12:173–181

    Google Scholar 

  29. Lee Y-S, Kim E, Jung M-S (2013) A nfc based authentication method for defense of the man in the middle attack. In: Proceedings of the 3rd international conference on computer science and information technology, pp 10–14

  30. Al-Tamimi M, Al-Haj A (2017) Online security protocol for nfc mobile payment applications. In: 8th International conference on information technology (ICIT). IEEE, Piscataway, pp 827–832

  31. Kahya N, Ghoualmi N, Lafourcade P (2012) Formal analysis of pkm using scyther tool. In: International conference on information technology and e-services. IEEE, Piscataway, pp 1–6

  32. Cremers C, Lafourcade P (2007) Comparing state spaces in automatic protocol verification. In: International workshop on automated verification of critical systems (AVoCS)

  33. Cremers C, Mauw S (2012) Operational semantics and verification of security protocols, Springer, Berlin

  34. Cremers CJ (2008) The scyther tool: verification, falsification, and analysis of security protocols. In: International conference on computer aided verification. Springer, Berlin

  35. Blanchet B, et al. (2001) An efficient cryptographic protocol verifier based on prolog rules. csfw

  36. Armando A, Basin D, Boichut Y, Chevalier Y, Compagna L, Cuéllar J, Drielsma PH, Héam P-C, Kouchnarenko O, Mantovani J et al (2005) The avispa tool for the automated validation of internet security protocols and applications. In: International conference on computer aided verification. Springer, Berlin

  37. Zhang L, Ma M (2020) Secure and efficient scheme for fast initial link setup against key reinstallation attacks in IEEE 802.11 ah networks. International Journal of Communication Systems, Wiley Online Library

  38. Subramanian NV, Dehliger J (2006) Multi-protocol attack: a survey of current research

  39. Cremers CJF (2006) Scyther: semantics and verification of security protocols. Eindhoven University of Technology, Eindhoven

    Google Scholar 

  40. Ahamad SS, Pathan A-SK (2019) Trusted service manager (tsm) based privacy preserving and secure mobile commerce framework with formal verification. In: Complex adaptive systems modeling. Springer, Berlin

  41. Mansour I, Lafourcade P, Chalhoub G (2014) Mécanismes d’authentification pour des réseaux de capteurs sans fil multi-sauts

  42. Naoui S, Elhdhili ME, Saidane LA (2020) Novel enhanced Lorawan framework for smart home remote control security. In: Wireless personal communications. Springer, Berlin

  43. Amin R, Lohani P, Ekka M, Chourasia S, Vollala S (2020) An enhanced anonymity resilience security protocol for vehicular ad-hoc network with scyther simulation. In: Computers & electrical engineering. Elsevier, Amsterdam

  44. Huang J, Huang C-T (2016) Design and verification of secure mutual authentication protocols for mobile multihop relay wimax networks against rogue base/relay stations. J Electr Comput Eng Hindawi, vol. 2016:1–12

  45. Kotzanikolaou P (2016) Cryptographic protocol analysis—a short introduction to the scyther tool Presentation at FOSSCOMM 2016-University of Piraeus

  46. Mohammad Z (2020) Cryptanalysis and improvement of the yak protocol with formal security proof and security verification via scyther. International Journal of Communication Systems, Wiley

  47. Cremers C (2011) Key exchange in ipsec revisited: formal analysis of ikev1 and ikev2. In: European symposium on research in computer security. Springer, Berlin

  48. Cremers C, Horvat M (2014) Improving the iso/iec 11770 standard for key management techniques. In: International conference on research in security standardisation. Springer, Berlin

  49. Cremers C, Horvat M (2016) Improving the iso/iec 11770 standard for key management techniques. International Journal of Information Security. Springer

  50. Basin D, Cremers C (2011) Evaluation of iso/iec 9798 protocols: Version 2.0. ETH Zurich

  51. Basin D, Cremers C, Meier S (2013) Provably repairing the iso/iec 9798 standard for entity authentication 1. J Comput Secur 21(6):817–846

    Article  Google Scholar 

  52. Lu S, Zhao J, Cheng Q (2016) Cryptanalysis and improvement of an efficient authenticated key exchange protocol with tight security reduction. International Journal of Communication Systems, Wiley Online Library

  53. Cheng Q, Lu S, Ma J (2017) Analysis and improvement of the internet-draft ikev3 protocol. International Journal of Communication Systems, Wiley Online Library

  54. Kahya N, Ghoualmi N, Lafourcade P (2012) Secure key management protocol in wimax. International Journal of Network Security & Its Applications. Academy & Industry Research Collaboration Center (AIRCC)

  55. Yang H, Oleshchuk VA, Prinz A (2016) Verifying group authentication protocols by scyther. JoWUA

  56. Lavanya M, Natarajan V (2017) Lwdsa: light-weight digital signature algorithm for wireless sensor networks. Sādhanā. Springer

  57. Nikooghadam M, Amintoosi H (2020) An improved secure authentication and key agreement scheme for healthcare applications. In: 2020 25th International computer conference, computer society of Iran (CSICC). IEEE

  58. Binu S, Misbahuddin M, Paulose J (2020) A signature-based mutual authentication protocol for remote health monitoring. SN Computer Science. Springer, Berlin

    Google Scholar 

  59. Lowe G (1997) A hierarchy of authentication specifications. In: Proceedings 10th computer security foundations workshop. IEEE

Download references

Author information

Authors and Affiliations

  1. LISITE Laboratory, ISEP, 10 Rue de Vanves, 92130, Issy-les-Moulineaux, France

    Nour El Madhoun

  2. Orange Labs, 42 rue des Coutures BP 6243, 14066, Caen, France

    Emmanuel Bertin

  3. Zayed University, P.O. Box 19282, Dubai, United Arab Emirates

    Mohamad Badra

  4. Sorbonne Université - Sciences, CNRS, LIP6, 4 place Jussieu, 75005, Paris, France

    Guy Pujolle

Authors
  1. Nour El Madhoun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Emmanuel Bertin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohamad Badra
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Guy Pujolle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nour El Madhoun.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

El Madhoun, N., Bertin, E., Badra, M. et al. Towards more secure EMV purchase transactions. Ann. Telecommun. 76, 203–222 (2021). https://doi.org/10.1007/s12243-020-00784-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12243-020-00784-1

Keywords

Search

Navigation