Short Paper: Making Contactless EMV Robust Against Rogue Readers Colluding with Relay Attackers

Tom Chothia, Ioana Boureanu*, Liqun Chen

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

It is possible to relay signals between a contactless EMV card and a shop’s EMV reader and so make a fraudulent payment without the card-owner’s knowledge. Existing countermeasures rely on proximity checking: the reader will measure round trip times in message-exchanges, and will reject replies that take longer than expected (which suggests they have been relayed). However, it is the reader that would receive the illicit payment from any relayed transaction, so a rogue reader has little incentive to enforce the required checks. Furthermore, cases of malware targeting point-of-sales systems are common. We propose three novel proximity-checking protocols that use a trusted platform module (TPM) to ensure that the reader performs the time-measurements correctly. After running one of our proposed protocols, the bank can be sure that the card and reader were in close proximity, even if the reader tries to subvert the protocol. Our first protocol makes changes to the cards and readers, our second modifies the readers and the banking backend, and our third allows the detection of relay attacks, after they have happened, with only changes to the readers.

Original languageEnglish
Title of host publicationFinancial Cryptography and Data Security
Subtitle of host publication23rd International Conference, FC 2019, Revised Selected Papers
EditorsIan Goldberg, Tyler Moore
PublisherSpringer
Pages222-233
Number of pages12
ISBN (Electronic)9783030321017
ISBN (Print)9783030321000
DOIs
Publication statusPublished - 30 Sept 2019
Event23rd International Conference on Financial Cryptography and Data Security, FC 2019 - St. Kitts, Saint Kitts and Nevis
Duration: 18 Feb 201922 Feb 2019

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume11598
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference23rd International Conference on Financial Cryptography and Data Security, FC 2019
Country/TerritorySaint Kitts and Nevis
CitySt. Kitts
Period18/02/1922/02/19

Bibliographical note

Funding Information:
Acknowledgments. The authors acknowledge the support of the NCSC-funded “TimeTrust” project. The authors also thank all anonymous reviewers, as well as Urs Hengartner for helpful comments. Also, Ioana Boureanu thanks Anda Anda for interesting discussions on this topic.

Publisher Copyright:
© 2019, International Financial Cryptography Association.

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Short Paper: Making Contactless EMV Robust Against Rogue Readers Colluding with Relay Attackers'. Together they form a unique fingerprint.

Cite this