NFC: A Convenient Mobile Payment Platform, or Fraudsters’ Playground? Nitesh Saxena Computer and Information Sciences University of Alabama at Birmingham Security and Privacy In Emerging Systems (SPIES) group http://spies.cis.uab.edu Center for Information Assurance and Joint Forensics Research (CIA|JFR) http://thecenter.uab.edu/ Outline Background NFC Applications What all one could do with it NFC Attacks/Fraud What NFC is What all can go wrong NFC Defenses How things could be fixed Outline Background NFC Applications What all one could do with it NFC Attacks/Fraud What NFC is What all can go wrong NFC Defenses How things could be fixed RFID System Overview An RFID system usually consists of RFID tags and readers and a back-end server. Tags are miniaturized wireless radio devices that store information about their corresponding subject, such as a unique identification number. Readers broadcast queries to tags in their radio transmission ranges for information contained in tags and tags reply with such information. reading signal back-end database ID Tag Reader (Some) RFID Applications Near Field Communication (NFC) NFC technology enables smart phones to have RFID tag and RFID reader functionality Phones can be used as payment tokens Next generation of payment system For example, Google Wallet App uses this function Already deployed in many places Just like RFID, it uses wireless radio communication Outline Background NFC Applications What all one could do with it NFC Attacks/Fraud What NFC is What all can go wrong NFC Defenses How things could be fixed NFC Applications Google Wallet ISIS Google Wallet Vision NFC Applications Patient Id+ Mobile Ticket Purchase – Austrian Federal Railways NFC Applications NFC Tags Sharing Other Applications Interactive Experience NFC at Museum of London Posters / Replacement to QR Codes Productivity (Phone Use Cases) Automatic Pairing with Bluetooth Connect to Wifi Make a Call/Text to a number Change settings automatically Check ins / Locations / Other social activity Open Apps SleepTrak (health monitoring) …MANY MANY more Outline Background NFC Applications What all one could do with it NFC Attacks/Fraud What NFC is What all can go wrong NFC Defenses How things could be fixed The RFID Privacy Problem Good tags, Bad readers Wig Viagra medical drug #459382 model #4456 (cheap polyester) Das Kapital and Communistparty handbook 500 Euros in wallet 30 items of lingerie Serial numbers: 597387,389473… NFC Privacy Problem Should you worry? NFC is near field (one has to tap to read!) Yes, unfortunately Researchers have shown that it is possible to eavesdrop NFC signals from a distance larger than its typical communication range [Kortvedt-Mjølsnes; 2009] The NFC Privacy Problem Good tags, Bad readers Chase Bank ATM Card US Bank Credit Card Porn Movie Ticket Doctor’s Prescription UAB Office Building Access Card The RFID Cloning Problem Good readers, Bad tags Wig Viagra medical drug #459382 model #4456 (cheap polyester) Das Kapital and Communistparty handbook Counterfeit!! 500 Euros in wallet 30 items of lingerie Serial numbers: 597387,389473… The NFC Cloning Problem Good readers, Bad tags Chase Bank ATM Card US Bank Credit Card Porn Movie Ticket Doctor’s Prescription UAB Office Building Access Card Relay Attack I: Ghost-and-Leech Relay Attack II: Ghost-and-Reader Variant of a Man-in-the-Middle attack [Drimer et al., 2007]; demonstrated live on Chip-and-PIN cards Malicious Reader Server Authentic Reader Ghost Reader and Ghost Relay Attack Fake reader relays information from legitimate NFC tag to “Ghost” “Ghost” relays received information to a corresponding legitimate reader Happens simultaneously while user performs transaction with legitimate NFC tag relays information from the legitimate tag to fake tag But for a higher amount Impersonating a legitimate NFC tag without actually possessing the device. While at a different physical location NFC Malware Problem Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic Outline Background NFC Applications What all one could do with it NFC Attacks/Fraud What NFC is What all can go wrong NFC Defenses How things could be fixed The NFC Privacy Problem Good tags, Bad readers Chase Bank ATM Card US Bank Credit Card Porn Movie Ticket Doctor’s Prescription UAB Office Building Access Card The NFC Cloning Problem Good readers, Bad tags Chase Bank ATM Card US Bank Credit Card Porn Movie Ticket Doctor’s Prescription UAB Office Building Access Card Relay Attack I: Ghost-and-Leech Selective Unlocking Promiscuous reading is to blame Currently, NFC supports selective unlocking via PIN/passwords Works in practice but passwords are known to have problems especially in terms of usability Our approach – gesture-enabled unlocking Relay Attack II: Ghost-and-Reader Variant of a Man-in-the-Middle attack [Drimer et al., 2007] Malicious Reader Server Authentic Reader Ghost Authentication is not Enough Alice’s device must authenticate the whole transaction So Alice’s phone knows that the reader charges $250 But Alice doesn’t The big screen on the malicious reader says $5 Even if phone displays the correct amount, Alice may not look at it Or make a mistake due to rushing Our Approach: Proximity Detection A second line of defense rather than relying upon the user Verify phone and reader are in same location Each device measures local data with sensor Send authenticated data to server Server checks that the data is the same in both measurements We use ambient audio Or at least similar enough Then approves the transaction Advantages of our Approach Does not require explicit user action Extremely difficult for attacker to change environnemental attributes Geographical location not sent to server Does not change traditional NFC usage model users’ location privacy is protected (unlike the use of GPS coordinates) Compatible with current payment infrastructure Implementation and Evaluation Sensor data collected by two devices in close proximity Capture audio from cell phone’s built-in microphone (two Nokia N97 phones) Recorded 20 consecutive segments from two sensors simultaneously at different pairs of locations At 5 different locations Detection Techniques Techniques based on time, frequency or both: In both domains tested: Euclidean distance between signals Correlation between signals Combined method: frequency distance and time-correlation Best results achieved for combined timefrequency based method Time-Frequency Distance Technique Our new Time-Frequency-based technique Calculating distance between two signals: Calculate Euclidean distance between frequency feature vectors Calculate Time-based correlation between signals Distance defined as DC = 1 - Correlation Both distances combined for classification Combined as a 2-D point in space Test Results Time-Frequency distance measure: Numbers are distance measured squared Detection Techniques Used simple classifier to detect samples taken at the same locations Simple-Logistics classifier from Weka 10-Fold classification: Data divided into 10 groups, 9 used for training, one for testing Input to the classifier: Time-Frequency distance measure squared Results Our tests showed perfect classification: False Accept Rate = 0% and False Reject Rate = 0% High level of security and usability Conclusions from Proximity Detection Designed a defense for the Reader-and-Ghost attack Promising defense without changes to the traditional RFID usage model without location privacy leakage also applicable to sensor-equipped RFID cards Audio is a stronger signal compared to light More experiments are planned in the future Paper: ESORICS [Halevi et al.; 2012] Media Coverage: Bloomberg, ZDNet, NFCNews, UAB News, etc… NFC Malware Problem Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic Malware Protection via Gestures Malware actions are software-generated Legitimate actions, on the other hand, are human-generated Human gestures will tell the OS whether an access request is benign or malicious Luckily, for NFC, a gesture that can work is “tapping” An explicit gesture could also be employed Tap-Wave-Rub (TWR) Gestures Phone Tapping Waving/Rubbing/Tapping accelerometer proximity sensor Waving light sensor TWR Enhanced Android Permissions Initial Results Phone Tapping (accelerometer) Tap/wave/rub (proximity sensor) Conclusions from TWR Initial results are promising The approach is applicable for protecting any other critical mobile device service SMS, phone call, camera access, etc. TWR gestures are also ideal for selective unlocking Take Away from the Talk NFC is a promising new platform with immense possibilities However, a full deployment requires careful assessment of security vulnerabilities and potential fraudulent activities Many vulnerabilities similar to RFID Security solutions need to be developed and integrated with NFC from scratch Except Malware – a burgeoning threat to NFC Other attacks possible – such as phishing via malicious NFC tag Research shows promise Phone is almost a computer; so lot could be done (unlike RFID) User convenience or usability is an important design metric when developing security solutions Acknowledgments Students – the SPIES Jaret Langston, Babins Shrestha, Tzipora Halevi, Jonathan Voris, Sai Teja Peddinti, Justin Lin, Borhan Uddin, Ambarish Karole, Arun Kumar, Ramnath Prasad, Alexander Gallego Other Collaborators More info: http://spies.cis.uab.edu http://spies.cis.uab.edu/research/rfid-security-and-privacy/