Risks of Offline Verify PIN on Contactless Cards
نویسندگان
چکیده
Contactless card payments are being introduced around the world allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Contactless transactions do not require verification of the cardholder’s PIN. However our research has found the redundant verify PIN functionality is present on the most commonly issued contactless credit and debit cards currently in circulation in the UK. This paper presents a plausible attack scenario which exploits contactless verify PIN to give unlimited attempts to guess the cardholder’s PIN without their knowledge. It also gives experimental data to demonstrate the practical viability of the attack as well as references to support our argument that contactless verify PIN is redundant functionality which compromises the security of payment cards and the cardholder.
منابع مشابه
COMPUTING SCIENCE Risks of Offline Verify PIN on Contactless Cards
Contactless card payments are being introduced around the world allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Contactless transactions do not require verification of the cardholder’s PIN. However our research has found the redundant verify PIN functionality is present on the most commonly issued contactless credit and deb...
متن کاملHarvesting High Value Foreign Currency Transactions from EMV Contactless Cards Without the PIN
In this paper we present an attack which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder's PIN when the transaction is carried out in a fore...
متن کاملAll You Can Eat
We investigated a real-world contactless payment application based on mifare Classic cards. In order to analyze the security of the payment system, we combined previous cryptanalytical results and implemented an improved card-only attack with customized low-cost tools, that is to our knowledge the most efficient practical attack to date. We found several flaws implying severe security vulnerabi...
متن کاملSecurity Enhanced EMV-Based Mobile Payment Protocol
Near field communication has enabled customers to put their credit cards into a smartphone and use the phone for credit card transaction. But EMV contactless payment allows unauthorized readers to access credit cards. Besides, in offline transaction, a merchant's reader cannot verify whether a card has been revoked. Therefore, we propose an EMV-compatible payment protocol to mitigate the transa...
متن کامل"On-Card" User Authentication for Contactless Smart Cards based on Gesture Recognition
Smart cards are widely used for security purposes. To protect smart cards against misuse an authentication process (e.g. entering a pin or password) is necessary. Due to missing input interfaces “on-card”, an external terminal is required to input the password. Unfortunately the required external hardware (e.g. keypads, etc.) opens up new security issues by being vulnerable against attacks like...
متن کامل