Organisational Aspects and Anatomy of an Attack on NFC/HCE Mobile Payment Systems

Maurizio Cavallari, Luca Adami, Francesco Tornieri

2015

Abstract

Near Field Communication (NFC) and contactless applications are increasing at unprecedented rate and their value is being recognised by the financial industry (Ok et al., 2011). Attacks are also increasing and they can compromise the business value on NFC applications (Murdoch and Anderson, 2010, Trend Micro, 2015). The present paper analyse the anatomy of possible attacks, uncovering vulnerabilities and suggesting possible countermeasures. The value of the paper is found in the contribution to practical mitigation of risk in the mobile payment financial business, with respect to the technology side. Host Card Emulation (HCE) is a technology solution that permits the creation of a virtual representation of a smart card using only software components, effectively eliminating the need for Secure Element hardware in the device. NFC/HCE technologies has proved itself very vulnerable in a variety of aspects. The paper would go through specific vulnerabilities and vulnerable situation, like: a non-secure-device/cloud communication channel; access to data saved locally in wallet; reusability of token; use of fake POS; malware and fake application; specific vulnerabilities of “Tap & Pay”; device/cloud decoupling. Countermeasures that have been proved effective are offered to readers along with Organisational aspects to be taken into account.

References

  1. Aigner, M., Dominikus, S., Feldhofer, M., 2007, “A System of Secure Virtual Coupons Using NFC Technology”, Proceedings of the Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW 7807), pp. 362-366.
  2. Atlassian Bitbucket, 2014, “Reverse engineering of contactless NFC-EMV payments”, <https://bitbucket.org/orbit-burg/nfcemv/wiki/Home>.
  3. Avison, D., Wood-Harper, T., 2003 “Bringing social and organisational issues into information systems development: the story of multiview”. Socio-technical and human cognition elements of information systems. IGI Publishing Hershey, PA (pp. 5-21).
  4. Benner, M.J., Tushman, M.L., 28 2003, “Exploitation, exploration, and process management: The productivity dilemma revisited”. Academy of Management Review.
  5. Burgelman, R.A., 47 2002, “Strategy as vector and the inertia of coevolutionary lock-in”. Administrative Science Quarterly.
  6. Cavallari, M., 2008, “Human computer interaction and systems security - an organisational appraisal”, in: De Marco M., Casalino, N. (eds.), Interdisciplinary Aspects of Information Systems Studies. p. 261-268, Springer, Heidelberg.
  7. Cavallari M., 2011, “Organisational Constraints on Information Systems Security”, in: Emerging Themes in Information Systems and Organization Studies, Carugati A., Rossignoli C. (Eds.), 193-207 pp., Springer Physica Verlag Heidelberg.
  8. Devendran, A., Bhuvaneswari, T., Krishnan, A.K., 05 2012, “Mobile Healthcare System using NFC Technology”, IJCSI, Vol. 9, Issue 3, No 3.
  9. Emms, M, Arief, B, Freitas, L, Hannon, J, van Moorsel, A, 12 2014, “Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN”, CCS 2014.
  10. Fiol, C.M., Lyles, M.A., 10 1985 “Organizational learning”. Academy of Management Review.
  11. Gupta, A.K., Smith, K.G., Shalley, C.E., 2006, “The interplay between exploration and exploitation”. Academy of Management Journal.
  12. Hagen, J.M., Albrechtsen, E. et al., 2008, “Implementation and effectiveness of organizational information security measures”. Information Management & Computer Security.
  13. Halgaonkar, P.S., Jain, S., Wadhai, V.M., 2013, “NFC: a Review of Technology, Tags, Applications and Security”, IJRCCT, 2013, Vol 2, No 10, 2013.
  14. Hancke, F., 11 2007, “Radio Frequency Identification, e & i (Elektrotechnik und Informationstechnik)”, Vol. 124, No. 11, pp 404-408, Springer, November 2007.
  15. Hancke, F., Mayes, K.E., Markantonakis, K., 10 2009, “An overview of relay attacks in the smart token environment that discusses attack implementations, implications and possible countermeasures”, Computers & Security, Vol. 28, Issue 7, pp 615-627, Elsevier.
  16. Hancke, F., Mayes, K., Mar 2013, “A Practical Generic Relay Attack on Contactless Transactions by Using NFC Mobile Phones” In: IJRFIDSC. 2, 1-4.
  17. Haselsteiner, E., Breitfuß, K., 2006,“Security in Near Field Communication (NFC) - Strengths and weaknesses”, Proceedings of Workshop on RFID Security (RFIDSec).
  18. He, Z.L., Wong, P.K., 15 2004, “Exploration vs. Exploitation: An empirical test of the ambidexterity hypothesis”. Organization Science.
  19. Honig, Z., 05 2013 “Samsung releases TecTiles 2 NFC tags for Galaxy S 4, available for $15 today”.
  20. ISO/IEC 14443-3:2011 A&B, <http://www.iso.org/iso/catalogue_detail.htm?csnumb er=50942>.
  21. ISO/IEC 7816-4:2013, <http://www.iso.org/iso/iso_catalogue/catalogue_tc/ca talogue_detail.htm?csnumber=54550>.
  22. Issovits, W., Hutter, M., 2011, “Weaknesses of the ISO/IEC 14443 Protocol Regarding Relay Attacks”, IEEE International Conference on RFID-Technologies and Applications.
  23. JIS-X 6319-4 http://www.proxmark.org/files/Documents/13.56%20 MHz%20-%20Felica/JIS.X.6319-4.Sony.Felica.pdf
  24. Juels, A., Syverson, P., Bailey, D., 2005, “High-power proxies for enhancing RFID privacy and utility”, G. Danezis and D. Martin, editors, in: “Privacy Enhancing Technologies (PET)”, 2005.
  25. Juels, A., Weis, S., 2005a, “Authenticating pervasive devices with human protocols”, Advances in Cryptology - CRYPTO, pages 293-308. SpringerVerlag, Lecture Notes in Computer Science, Volume 3621.
  26. Juels, A., Weis, S, 2005b, “Defining strong privacy for RFID”, Manuscript.
  27. Lee, E., 2012, DEFCON 20, “NFC Hacking: The Easy Way”, ref. NFC proxy, p. 20, http://korben.info/wpcontent/uploads/defcon/SpeakerPresentations/Lee/DE FCON-20-Lee-NFC-Hacking.pdf”.
  28. Levitt, B., March, J.G., 14 1988, “Organizational learning”. Annual Review of Sociology.
  29. Li, Y., Deng, R.H., Bertino, E., 2014, “RFID Security and Privacy”, Elisa Bertino and Ravi Sandhu (Eds.), in: Synthesis Lectures on Security, Privacy and Trust, Morgan & Claypool Publishers.
  30. Madlmayr, G., Langer, J., Kantner, C., Scharinger, J., 2008, “NFC Devices: Security and Privacy”, IEEE The Third International Conference on Availability, Reliability and Security, IEEE DOI 10.1109/ARES.2008.105.
  31. March, J.G., 1991, “Exploration and exploitation in organizational learning”. Organization Science.
  32. Marzo, F., Castelfranchi, C., 2013, “Trust as individual asset in a network: a cognitive analysis”. In: Spagnoletti, P. (ed.) Organization Change and Information Systems, LNISO vol. 2. Springer, Heidelberg.
  33. Mayes, K.E., Markantonakis, K., Hancke, F., 05 2009, “Elsevier Information Security Technical Report”, Vol.14, Issue 2, pp 87-95.
  34. McHugh, S., Yarmey, K., 08 2012, “Near Field Communication: Introduction and Implications”, Weinberg Memorial Library, University of Scranton , Scranton, Pennsylvania , USA
  35. Momani, M.H., Hudaib, A.AZ., 2014, “Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection”, IJCSS, Volume (8): Issue (4).
  36. Mulliner, C., 2009, “Vulnerability Analysis and Attacks on NFC-enabled Mobile Phones”, IEEE International Conference on Availability, Reliability and Security, IEEE DOI 10.1109/ARES.2009.46.
  37. Murdoch, S., Anderson R., 01 2010, “Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication”. Financial Cryptography and Data Security, pp. 42-45.
  38. Nai-Wai, L., Li, Y., 2012, “Radio Frequency Identification System Security”, Volume 8, Cryptology and Information Security, IOS Press.
  39. NFC Forum, 12 2013, “NFC and Contactless Technologies”, <http://nfc-forum.org/what-isnfc/about-the- technology>, 2013
  40. Ok, K., Aydin, M.N., Coskun, V., Ozdenizci, B., 2011, “Exploring Underlying Values of NFC Applications”, 3rd International Conference on Information and Financial Engineering IPEDR vol.12, IACSIT Press, Singapore.
  41. Ozdenizci, B., Aydin, M. N., Coskun, V., Ok, K., 2010, “NFC Research Framework: A Literature Review And FutureResearch Directions”, Proc. 14th IBIMA, Istanbul, Turkey, 2010, pp. 2672-2685.
  42. Patidar, P., Bhardwaj, A., 2011, “Network Security through SSL in Cloud Computing Environment”, IJCSIT, Vol. 2 (6) , 2011, pp. 2800-2803.
  43. Paya, C., 05 2014, “HCE vs embedded secure element: relay attacks (part V)”, Random Oracle, <https://randomoracle.wordpress.com/2014/05/01/hcevs-embedded-secure-element-relay-attacks-part-v/>, 2014.
  44. Pettigrew, A.M., 1987, “Context and action in the transformation of the firm”. Journal of Management Studies.
  45. Pettigrew, A.M., 2001, Woodman, R.W., Cameron, K.S. “Studying organizational change and development: Challenges for future research”. Academy of Management Journal.
  46. PCI DSS, 2006-2015, https://www.pcisecuritystandards.org/security_standar ds/
  47. Roland, M, Langer, J., Scharinger, J., 10 2012 “Practical Attack Scenarios on Secure Element-enabled Mobile Devices”, IEEE 4th International Workshop with Focus on Near Field Communication, 2012. IEEE DOI 10.1109/NFC.
  48. Slade, E., Williams, M., Dwivedi, Y., Piercy, N., 04 2014, “Exploring consumer adoption of proximity mobile payments”, JSM, Taylor & Francis, 2014.
  49. Smart Card Alliance, 10 2014, “Host Card Emulation (HCE) 101”.
  50. Smith-Strickland, K., 10 2013, “National Australia Bank Launches Funds Transfer Service Initiated by NFC Peer-to-Peer Mode”, NFC Times, Oct. 3rd, 2013.
  51. Spagnoletti P., Resca A., 2008, “The duality of Information Security Management: fighting against predictable and unpredictable threats”. JISS, Vol. 4 - Issue 3.
  52. Straub, D., Goodman, S., Baskerville, R., 2008, “Framing of Information Security Policies and Practices”. In Information Security Policies, Processes, and Practices. D. Straub, S. Goodman and R. Baskerville (eds.), Armonk, NY: M. E. Sharpe.
  53. Suman, S., 09 2013, “NFC: an overview”, IJARCSMS, Volume 1, Issue 4, September 2013.
  54. Trend Micro, 01 2015, “Masque, FakeID, and Other Notable Mobile Threats of 2H 2014”, http://aboutthreats.trendmicro.com/us/mobile/monthly-mobilereview/2013-08-mobile-banking-threats>.
  55. Van Damme, G., Wouters, K., Preneel,B., 2009, “Practical Experiences with NFC Security on mobile Phones” in Proceedings of the RFIDSec'09 on RFID Security, LNCS, Springer-Verlag, 13 pages, 2009.
  56. Van Dullink, W., Westein, P., 02 2013, “Remote relay attack on RFID access control systems using NFC enabled devices”, Report, University of Amsterdam, https://www.os3.nl/_media/2012- 2013/courses/rp1/p30_report.pdf.
  57. Verdult, R., Ois Kooman, F., 2011,“Practical attacks on NFC enabled cell phones”, IEEE Third International Workshop on Near Field Communication, DOI 10.1109/NFC.2011.16
  58. Worstall, T., 10 2012 , “Google Wallet's Security Hole”, Forbes, <http://www.forbes.com/sites/timworstall/2012/02/10/ google-wallets-security-hole/>.
  59. Za, S., Marzo, F., De Marco, M, Cavallari, M., 2015, “Agent Based Simulation of Trust Dynamics in Dependence Networks”, in: Exploring Services Science, LNBIP, Volume 201, Henriqueta Nóvoa and Monica Dragoicea (eds.), Springer.
Download


Paper Citation


in Harvard Style

Cavallari M., Adami L. and Tornieri F. (2015). Organisational Aspects and Anatomy of an Attack on NFC/HCE Mobile Payment Systems . In Proceedings of the 17th International Conference on Enterprise Information Systems - Volume 2: WOSIS, (ICEIS 2015) ISBN 978-989-758-097-0, pages 685-700. DOI: 10.5220/0005477506850700


in Bibtex Style

@conference{wosis15,
author={Maurizio Cavallari and Luca Adami and Francesco Tornieri},
title={Organisational Aspects and Anatomy of an Attack on NFC/HCE Mobile Payment Systems},
booktitle={Proceedings of the 17th International Conference on Enterprise Information Systems - Volume 2: WOSIS, (ICEIS 2015)},
year={2015},
pages={685-700},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005477506850700},
isbn={978-989-758-097-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 17th International Conference on Enterprise Information Systems - Volume 2: WOSIS, (ICEIS 2015)
TI - Organisational Aspects and Anatomy of an Attack on NFC/HCE Mobile Payment Systems
SN - 978-989-758-097-0
AU - Cavallari M.
AU - Adami L.
AU - Tornieri F.
PY - 2015
SP - 685
EP - 700
DO - 10.5220/0005477506850700