Tap-Tap and Pay (TTP): Preventing Man-In-The-Middle Attacks in NFC Payment Using Mobile Sensors

The reader-and-ghost attack is a real concern in mobile NFC payment applications. A malicious reader relays the user's NFC-enabled mobile phone to a remote legitimate reader to charge for a higher amount than what the user expects to pay. Using an NFC shield cannot prevent the attack, since the user consciously instantiates the NFC payment, though without realizing that the reader is controlled by an attacker. Recent solutions generally involve using ambient sensors to measure the ambient properties of the surrounding environment to ensure that the NFC-enabled phone and the reader are at nearby locations. Unfortunately, all these solutions fail completely once the attacker's reader and the legitimate reader are located in the same or similar physical environment. In this paper, we propose the first and currently the only viable technical solution to defeat the reader-and-ghost attack even when the attacker' reader and the legitimate one are located in the same physical environment. Our solution is called "Tap-Tap and Pay" (TTP). It works by asking the user to physically tap the reader twice in succession to initiate an NFC payment. The physical tapping causes random but correlated vibrations at both devices, which are hard to forge (or reproduce) and can be reliably measured by accelerometers. Accordingly, we design the TTP protocol such that the NFC transaction will proceed only if the two vibration signals are found sufficiently similar. As compared with previous solutions, ours is fast, simple to use, easy to deploy, and above all, prevents attacks even if the attacker's reader and the legitimate one are located in the same environment. © 2014 Newcastle University. Printed and published by Newcastle University, Computing Science, Claremont Tower, Claremont Road, Newcastle upon Tyne, NE1 7RU, England. Bibliographical details MEHRNEZHAD, M., HAO, F., SHAHANDASHTI, S.F. Tap-Tap and Pay (TTP): Preventing Man-In-The-Middle Attacks in NFC Payment Using Mobile Sensors [By] M. Mehrnezhad, F. Hao and S. F. Shahandashti Newcastle upon Tyne: Newcastle University: Computing Science, 2014. (Newcastle University, Computing Science, Technical Report Series, No. CS-TR-1428)