Researchers at Newcastle University in the UK have come up with a surprising way of attacking contactless payments.
Their paper is ominously entitled Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN.
[***]
It will be presented on Wednesday 05 November 2014 at the 21st ACM Conference on Computer and Communications Security in Scottsdale, Arizona.
Very greatly simplified, it's a special sort of Man in the Middle (MitM) attack that could, at least in theory, be used to trick the owners of contactless payment cards into spending enormous sums of money without realising it.
Paying without touching
Contactless bank payments usually rely on Near Field Communication (NFC) – the same sort of electronics used in public transport cards such as London's Oyster or Sydney's Opal.
These let you authorise payments simply by waving your card near a suitable payment terminal.
As you pass your card through an electromagnetic field generated by the terminal, a coiled-up antenna buried in your payment card produces a tiny electrical current.
[***]
That's enough to wake up the card's chip, which then reads in some data wirelessly, performs various cryptographic calculations on it, and sends back a reply.
The antenna functions as an electrical generator coil to start with, and then as a regular antenna for the rest of the process, which typically takes a fraction of a second.
→ Typically, you have to get your card very close indeed, perhaps even tapping your card onto the terminal, but you don't have to slide or insert the card into any sort of slot. The data is received, processed and transmitted without any physical circuit between the card and the terminal.
In theory, then, a crook could work the payment the other way around, by waving a suitably rigged payment terminal near your card, telling your card it wanted to buy a Caffè Americano, getting it to approve the transaction, and pocketing the cash.
This works because, for small-value transactions, the card and the terminal agree that they won't ask for your PIN.
The bank, the merchant and the cardholder (that's you) effectively have a arrangement to forgo the second factor of authentication (i.e. typing in your PIN) when the amount you're spending is below £20.
Managing the risks
In marketing jargon, the transaction is made frictionless for your convenience, with the risks kept in check because:
The "Near" in NFC limits the range at which your card will work.
The maximum value of any PINless transaction is deliberately kept low.
The idea is that the risk/reward odds for a crook with a portable "transaction harvesting" terminal should be stacked against him.
He'd have to risk bumping noticeably up against your pocket, or dipping his terminal right into your bag next to your wallet, with a maximum return on his risk of £20 each time.
Two tricky problems
However, at least in the case of VISA contactless payments, the Novocastrian researchers found two problems.
Firstly, the "must enter PIN for more than £20" restriction may be ignored by your card if the transaction is requested in a foreign currency.
Secondly, an additional safeguard prohibiting offline transactions for more than £100 may be ignored, too.
(In offline transactions, your card tells the terminal it is willing to spend the requested sum, and commits to the transaction without involving the bank; the terminal can submit the transaction for processing by the bank later on.)
In fact, the authors found, in some cases, that the limit on offline, PINless VISA transactions in foreign currencies isn't limited to any equivalent value in your local currency.
It's limited to eight digits' worth of that currency, presumably to accomodate currencies where large numbers are needed to represent even a modest value.
Suddenly, the risk/reward is tipped in the favour of the crook.
In you're in the UK, for example, he could ask your card to agree to pay up a whopping US$999,999.99, without having to go online and without you needing to enter your PIN.
That's a million bucks, less a penny, no PIN required!
[***]
Later on, when the crook is safely clear of the area where he clocked up the fake purchases, he can connect to his accomplices and send them his fraudulent transaction agreements; they can then process those payments, unrestricted by the limits that would have applied if you had bought something in your own currency.
Only then will you receive any transaction notifications from your bank, for example via SMS.
Perhaps
As the researchers note, any crook attempting this sort of attack would be unlikely to try to hit that million-dollar jackpot.
That would most likely set alarm bells ringing.
But he could stretch the potential payout for each offline, PINless transaction from £20 to a few hundred pounds, "high enough to make each attack worthwhile," as the authors put it.
One thing we don't know is whether this vulnerability (collecting up transaction authorisations well above the usual maximum) can actually be exploited when the time comes to cash out.
[***]
"For obvious reasons," the authors drily point out, "we were not willing or able to check against a real bank."
This problem still needs attention, though: if £20 and £100 are considered suitable risk-related limits on PINless and offline transactions respectively, those limits should apply at all times.
If your card can't reliably work out whether 999,999.99 Vietnamese Dong is worth more or less than 20 British Pounds right now, it should fail safe by assuming that it is worth more, and behave accordingly.
What to do?
Quick fixes for VISA are obvious, and are suggested by the authors in their paper:
Always require a PIN for foreign currencies.
Always require online transaction verification for foreign currencies.
And if you're worried about this issue, you could try these workarounds:
If you don't travel overseas regularly, ask your bank if it offers an option to prevent transactions in foreign currencies.
Keep your card in a wallet or cover that blocks electromagnetic radiation so it has to be taken out to be used.
Do your low value payments with cash, so you don't need contactless transactions enabled on your card at all.
Their paper is ominously entitled Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN.
[***]
It will be presented on Wednesday 05 November 2014 at the 21st ACM Conference on Computer and Communications Security in Scottsdale, Arizona.
Very greatly simplified, it's a special sort of Man in the Middle (MitM) attack that could, at least in theory, be used to trick the owners of contactless payment cards into spending enormous sums of money without realising it.
Paying without touching
Contactless bank payments usually rely on Near Field Communication (NFC) – the same sort of electronics used in public transport cards such as London's Oyster or Sydney's Opal.
These let you authorise payments simply by waving your card near a suitable payment terminal.
As you pass your card through an electromagnetic field generated by the terminal, a coiled-up antenna buried in your payment card produces a tiny electrical current.
[***]
That's enough to wake up the card's chip, which then reads in some data wirelessly, performs various cryptographic calculations on it, and sends back a reply.
The antenna functions as an electrical generator coil to start with, and then as a regular antenna for the rest of the process, which typically takes a fraction of a second.
→ Typically, you have to get your card very close indeed, perhaps even tapping your card onto the terminal, but you don't have to slide or insert the card into any sort of slot. The data is received, processed and transmitted without any physical circuit between the card and the terminal.
In theory, then, a crook could work the payment the other way around, by waving a suitably rigged payment terminal near your card, telling your card it wanted to buy a Caffè Americano, getting it to approve the transaction, and pocketing the cash.
This works because, for small-value transactions, the card and the terminal agree that they won't ask for your PIN.
The bank, the merchant and the cardholder (that's you) effectively have a arrangement to forgo the second factor of authentication (i.e. typing in your PIN) when the amount you're spending is below £20.
Managing the risks
In marketing jargon, the transaction is made frictionless for your convenience, with the risks kept in check because:
The "Near" in NFC limits the range at which your card will work.
The maximum value of any PINless transaction is deliberately kept low.
The idea is that the risk/reward odds for a crook with a portable "transaction harvesting" terminal should be stacked against him.
He'd have to risk bumping noticeably up against your pocket, or dipping his terminal right into your bag next to your wallet, with a maximum return on his risk of £20 each time.
Two tricky problems
However, at least in the case of VISA contactless payments, the Novocastrian researchers found two problems.
Firstly, the "must enter PIN for more than £20" restriction may be ignored by your card if the transaction is requested in a foreign currency.
Secondly, an additional safeguard prohibiting offline transactions for more than £100 may be ignored, too.
(In offline transactions, your card tells the terminal it is willing to spend the requested sum, and commits to the transaction without involving the bank; the terminal can submit the transaction for processing by the bank later on.)
In fact, the authors found, in some cases, that the limit on offline, PINless VISA transactions in foreign currencies isn't limited to any equivalent value in your local currency.
It's limited to eight digits' worth of that currency, presumably to accomodate currencies where large numbers are needed to represent even a modest value.
Suddenly, the risk/reward is tipped in the favour of the crook.
In you're in the UK, for example, he could ask your card to agree to pay up a whopping US$999,999.99, without having to go online and without you needing to enter your PIN.
That's a million bucks, less a penny, no PIN required!
[***]
Later on, when the crook is safely clear of the area where he clocked up the fake purchases, he can connect to his accomplices and send them his fraudulent transaction agreements; they can then process those payments, unrestricted by the limits that would have applied if you had bought something in your own currency.
Only then will you receive any transaction notifications from your bank, for example via SMS.
Perhaps
As the researchers note, any crook attempting this sort of attack would be unlikely to try to hit that million-dollar jackpot.
That would most likely set alarm bells ringing.
But he could stretch the potential payout for each offline, PINless transaction from £20 to a few hundred pounds, "high enough to make each attack worthwhile," as the authors put it.
One thing we don't know is whether this vulnerability (collecting up transaction authorisations well above the usual maximum) can actually be exploited when the time comes to cash out.
[***]
"For obvious reasons," the authors drily point out, "we were not willing or able to check against a real bank."
This problem still needs attention, though: if £20 and £100 are considered suitable risk-related limits on PINless and offline transactions respectively, those limits should apply at all times.
If your card can't reliably work out whether 999,999.99 Vietnamese Dong is worth more or less than 20 British Pounds right now, it should fail safe by assuming that it is worth more, and behave accordingly.
What to do?
Quick fixes for VISA are obvious, and are suggested by the authors in their paper:
Always require a PIN for foreign currencies.
Always require online transaction verification for foreign currencies.
And if you're worried about this issue, you could try these workarounds:
If you don't travel overseas regularly, ask your bank if it offers an option to prevent transactions in foreign currencies.
Keep your card in a wallet or cover that blocks electromagnetic radiation so it has to be taken out to be used.
Do your low value payments with cash, so you don't need contactless transactions enabled on your card at all.