nfc: a convenient mobile payment platform, or fraudster s’ playground? nitesh saxena computer and...
TRANSCRIPT
![Page 1: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/1.jpg)
Nitesh SaxenaComputer and Information Sciences
University of Alabama at Birmingham
Security and Privacy In Emerging Systems (SPIES) group http://spies.cis.uab.edu
Center for Information Assurance and Joint Forensics Research (CIA|JFR)
http://thecenter.uab.edu/
![Page 2: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/2.jpg)
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
![Page 3: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/3.jpg)
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
![Page 4: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/4.jpg)
RFID System Overview
readingsignal
ID
back-enddatabase
ReaderTag
An RFID system usually consists of RFID tags and readers and a back-end server. Tags are miniaturized wireless radio devices that store information about their corresponding subject, such as a unique identification number. Readers broadcast queries to tags in their radio transmission ranges for information contained in tags and tags reply with such information.
![Page 5: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/5.jpg)
(Some) RFID Applications
![Page 6: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/6.jpg)
Near Field Communication (NFC)
NFC technology enables smart phones to have RFID tag and RFID reader functionality Phones can be used as payment tokens
Next generation of payment system For example, Google Wallet App uses this function Already deployed in many places
Just like RFID, it uses wireless radio communication
![Page 7: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/7.jpg)
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
![Page 8: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/8.jpg)
NFC Applications
Google Wallet ISIS
![Page 9: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/9.jpg)
Google Wallet Vision
![Page 10: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/10.jpg)
NFC Applications
Patient Id+Mobile Ticket Purchase – Austrian Federal Railways
![Page 11: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/11.jpg)
NFC Applications
NFC Tags Sharing
![Page 12: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/12.jpg)
Other Applications
Interactive Experience NFC at Museum of London Posters / Replacement to QR Codes Productivity (Phone Use Cases)
Automatic Pairing with Bluetooth Connect to Wifi Make a Call/Text to a number Change settings automatically Check ins / Locations / Other social activity Open Apps
SleepTrak (health monitoring) …MANY MANY more
![Page 13: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/13.jpg)
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
![Page 14: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/14.jpg)
The RFID Privacy Problem
Good tags, Bad readers
500 Eurosin wallet
Serial numbers:597387,389473
…
Wigmodel #4456
(cheap polyester)
30 items of lingerie
Das Kapital and Communist-
party handbook
Viagramedical drug #459382
![Page 15: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/15.jpg)
NFC Privacy Problem
Should you worry? NFC is near field (one has to tap to read!)
Yes, unfortunately Researchers have shown that it is
possible to eavesdrop NFC signals from a distance larger than its typical communication range [Kortvedt-Mjølsnes; 2009]
![Page 16: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/16.jpg)
The NFC Privacy Problem
Good tags, Bad readers
UAB Office Building
Access Card
Chase Bank ATM Card
Doctor’s Prescription
Porn Movie Ticket
US Bank Credit Card
![Page 17: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/17.jpg)
The RFID Cloning Problem
Good readers, Bad tags
500 Eurosin wallet
Serial numbers:597387,389473
…
Wigmodel #4456
(cheap polyester)
30 items of lingerie
Das Kapital and Communist-
party handbook
Viagramedical drug #459382
Counterfeit!!
![Page 18: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/18.jpg)
The NFC Cloning Problem
Good readers, Bad tags
UAB Office Building
Access Card
Chase Bank ATM Card
Doctor’s Prescription
Porn Movie Ticket
US Bank Credit Card
![Page 19: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/19.jpg)
Relay Attack I: Ghost-and-Leech
query
query
quer
y
resp
onse
response
response
![Page 20: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/20.jpg)
Relay Attack II: Ghost-and-Reader
Malicious Reader
Ghost
Authentic Reader
ServerVariant of a Man-in-the-Middle attack [Drimer et al., 2007]; demonstrated live on Chip-and-PIN cards
![Page 21: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/21.jpg)
Reader and Ghost Relay Attack
Fake reader relays information from legitimate NFC tag to “Ghost” relays information from the legitimate tag to fake
tag “Ghost” relays received information to a
corresponding legitimate reader Happens simultaneously while user performs
transaction with legitimate NFC tag But for a higher amount
Impersonating a legitimate NFC tag without actually possessing the device. While at a different physical location
![Page 22: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/22.jpg)
NFC Malware Problem
Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic
![Page 23: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/23.jpg)
Outline
Background What NFC is
NFC Applications What all one could do with it
NFC Attacks/Fraud What all can go wrong
NFC Defenses How things could be fixed
![Page 24: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/24.jpg)
The NFC Privacy Problem
Good tags, Bad readers
UAB Office Building
Access Card
Chase Bank ATM Card
Doctor’s Prescription
Porn Movie Ticket
US Bank Credit Card
![Page 25: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/25.jpg)
The NFC Cloning Problem
Good readers, Bad tags
UAB Office Building
Access Card
Chase Bank ATM Card
Doctor’s Prescription
Porn Movie Ticket
US Bank Credit Card
![Page 26: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/26.jpg)
Relay Attack I: Ghost-and-Leech
query
query
quer
y
resp
onse
response
response
![Page 27: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/27.jpg)
Selective Unlocking
Promiscuous reading is to blame Currently, NFC supports selective
unlocking via PIN/passwords Works in practice but passwords are
known to have problems especially in terms of usability
Our approach – gesture-enabled unlocking
![Page 28: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/28.jpg)
Relay Attack II: Ghost-and-Reader
Malicious Reader
Ghost
Authentic Reader
ServerVariant of a Man-in-the-Middle attack [Drimer et al., 2007]
![Page 29: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/29.jpg)
Authentication is not Enough
Alice’s device must authenticate the whole transaction
So Alice’s phone knows that the reader charges $250 But Alice doesn’t The big screen on the malicious reader says $5
Even if phone displays the correct amount, Alice may not look at it Or make a mistake due to rushing
![Page 30: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/30.jpg)
Our Approach: Proximity Detection
A second line of defense rather than relying upon the user
Verify phone and reader are in same location Each device measures local data with sensor
We use ambient audio Send authenticated data to server Server checks that the data is the same in both
measurements Or at least similar enough
Then approves the transaction
![Page 31: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/31.jpg)
Advantages of our Approach
Does not require explicit user action Does not change traditional NFC usage model
Extremely difficult for attacker to change environnemental attributes
Geographical location not sent to server users’ location privacy is protected (unlike the
use of GPS coordinates) Compatible with current payment
infrastructure
![Page 32: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/32.jpg)
Implementation and Evaluation
Sensor data collected by two devices in close proximity Capture audio from cell phone’s built-in
microphone (two Nokia N97 phones) Recorded 20 consecutive segments from
two sensors simultaneously at different pairs of locations At 5 different locations
![Page 33: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/33.jpg)
Detection Techniques
Techniques based on time, frequency or both: In both domains tested:
Euclidean distance between signals Correlation between signals
Combined method: frequency distance and time-correlation
Best results achieved for combined time-frequency based method
![Page 34: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/34.jpg)
Time-Frequency Distance Technique
Our new Time-Frequency-based technique Calculating distance between two signals:
Calculate Euclidean distance between frequency feature vectors
Calculate Time-based correlation between signals Distance defined as DC = 1 - Correlation
Both distances combined for classification Combined as a 2-D point in space
![Page 35: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/35.jpg)
Test Results
Time-Frequency distance measure:
Numbers are distance measured squared
![Page 36: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/36.jpg)
Detection Techniques
Used simple classifier to detect samples taken at the same locations Simple-Logistics classifier from Weka 10-Fold classification:
Data divided into 10 groups, 9 used for training, one for testing
Input to the classifier: Time-Frequency distance measure squared
![Page 37: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/37.jpg)
Results
Our tests showed perfect classification: False Accept Rate = 0% and False Reject
Rate = 0% High level of security and usability
![Page 38: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/38.jpg)
Conclusions from Proximity Detection
Designed a defense for the Reader-and-Ghost attack
Promising defense without changes to the traditional RFID usage model without location privacy leakage also applicable to sensor-equipped RFID cards
Audio is a stronger signal compared to light More experiments are planned in the future
Paper: ESORICS [Halevi et al.; 2012] Media Coverage: Bloomberg, ZDNet, NFCNews,
UAB News, etc…
![Page 39: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/39.jpg)
NFC Malware Problem
Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic
![Page 40: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/40.jpg)
Malware Protection via Gestures
Malware actions are software-generated Legitimate actions, on the other hand, are
human-generated Human gestures will tell the OS whether
an access request is benign or malicious Luckily, for NFC, a gesture that can work
is “tapping” An explicit gesture could also be employed
![Page 41: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/41.jpg)
Tap-Wave-Rub (TWR) Gestures
Phone Tapping accelerometer
Waving/Rubbing/Tapping proximity sensor
Waving light sensor
![Page 42: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/42.jpg)
TWR Enhanced Android Permissions
![Page 43: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/43.jpg)
Initial Results
Phone Tapping (accelerometer)
Tap/wave/rub (proximity sensor)
![Page 44: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/44.jpg)
Conclusions from TWR
Initial results are promising The approach is applicable for protecting
any other critical mobile device service SMS, phone call, camera access, etc.
TWR gestures are also ideal for selective unlocking
![Page 45: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/45.jpg)
Take Away from the Talk NFC is a promising new platform with immense
possibilities However, a full deployment requires careful assessment of
security vulnerabilities and potential fraudulent activities Many vulnerabilities similar to RFID
Except Malware – a burgeoning threat to NFC Other attacks possible – such as phishing via malicious NFC tag
Security solutions need to be developed and integrated with NFC from scratch Research shows promise Phone is almost a computer; so lot could be done (unlike RFID)
User convenience or usability is an important design metric when developing security solutions
![Page 46: NFC: A Convenient Mobile Payment Platform, or Fraudster s’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e0e5503460f94af800c/html5/thumbnails/46.jpg)
Acknowledgments
Students – the SPIES Jaret Langston, Babins Shrestha, Tzipora Halevi, Jonathan Voris, Sai Teja
Peddinti, Justin Lin, Borhan Uddin, Ambarish Karole, Arun Kumar, Ramnath Prasad, Alexander Gallego
Other Collaborators
More info: http://spies.cis.uab.eduhttp://spies.cis.uab.edu/research/rfid-security-and-privacy/
Thanks!