NFC: A Convenient Mobile Payment Platform,
or
Fraudsters’ Playground?
Nitesh Saxena
Computer and Information Sciences
University of Alabama at Birmingham
Security and Privacy In Emerging Systems (SPIES) group
http://spies.cis.uab.edu
Center for Information Assurance and Joint Forensics Research
(CIA|JFR)
http://thecenter.uab.edu/
Outline

Background


NFC Applications


What all one could do with it
NFC Attacks/Fraud


What NFC is
What all can go wrong
NFC Defenses

How things could be fixed
Outline

Background


NFC Applications


What all one could do with it
NFC Attacks/Fraud


What NFC is
What all can go wrong
NFC Defenses

How things could be fixed
RFID System Overview
An RFID system usually consists of RFID tags and
readers and a back-end server. Tags are miniaturized
wireless radio devices that store information about their
corresponding subject, such as a unique identification
number. Readers broadcast queries to tags in their
radio transmission ranges for information contained in
tags and tags reply with such information.
reading
signal
back-end
database
ID
Tag
Reader
(Some) RFID Applications
Near Field Communication (NFC)

NFC technology enables smart phones to
have RFID tag and RFID reader
functionality

Phones can be used as payment tokens




Next generation of payment system
For example, Google Wallet App uses this function
Already deployed in many places
Just like RFID, it uses wireless radio
communication
Outline

Background


NFC Applications


What all one could do with it
NFC Attacks/Fraud


What NFC is
What all can go wrong
NFC Defenses

How things could be fixed
NFC Applications
Google Wallet
ISIS
Google Wallet Vision
NFC Applications
Patient Id+
Mobile Ticket Purchase –
Austrian Federal Railways
NFC Applications
NFC Tags
Sharing
Other Applications
Interactive Experience



NFC at Museum of London
Posters / Replacement to QR Codes
Productivity (Phone Use Cases)








Automatic Pairing with Bluetooth
Connect to Wifi
Make a Call/Text to a number
Change settings automatically
Check ins / Locations / Other social activity
Open Apps
SleepTrak (health monitoring)
…MANY MANY more
Outline

Background


NFC Applications


What all one could do with it
NFC Attacks/Fraud


What NFC is
What all can go wrong
NFC Defenses

How things could be fixed
The RFID Privacy Problem
Good tags, Bad readers
Wig
Viagra
medical drug #459382
model #4456
(cheap polyester)
Das Kapital and
Communistparty handbook
500 Euros
in wallet
30 items
of lingerie
Serial numbers:
597387,389473…
NFC Privacy Problem

Should you worry?



NFC is near field (one has to tap to read!)
Yes, unfortunately
Researchers have shown that it is
possible to eavesdrop NFC signals from
a distance larger than its typical
communication range

[Kortvedt-Mjølsnes; 2009]
The NFC Privacy Problem
Good tags, Bad readers
Chase Bank
ATM Card
US Bank Credit
Card
Porn Movie
Ticket
Doctor’s
Prescription
UAB Office
Building
Access Card
The RFID Cloning Problem
Good readers, Bad tags
Wig
Viagra
medical drug #459382
model #4456
(cheap polyester)
Das Kapital and
Communistparty handbook
Counterfeit!!
500 Euros
in wallet
30 items
of lingerie
Serial numbers:
597387,389473…
The NFC Cloning Problem
Good readers, Bad tags
Chase Bank
ATM Card
US Bank Credit
Card
Porn Movie
Ticket
Doctor’s
Prescription
UAB Office
Building
Access Card
Relay Attack I: Ghost-and-Leech
Relay Attack II: Ghost-and-Reader
Variant of a Man-in-the-Middle attack
[Drimer et al., 2007]; demonstrated live on
Chip-and-PIN cards
Malicious Reader
Server
Authentic Reader
Ghost
Reader and Ghost Relay Attack

Fake reader relays information from
legitimate NFC tag to “Ghost”



“Ghost” relays received information to a
corresponding legitimate reader
Happens simultaneously while user performs
transaction with legitimate NFC tag


relays information from the legitimate tag to fake
tag
But for a higher amount
Impersonating a legitimate NFC tag without
actually possessing the device.

While at a different physical location
NFC Malware Problem
Youtube video:
http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic
Outline

Background


NFC Applications


What all one could do with it
NFC Attacks/Fraud


What NFC is
What all can go wrong
NFC Defenses

How things could be fixed
The NFC Privacy Problem
Good tags, Bad readers
Chase Bank
ATM Card
US Bank Credit
Card
Porn Movie
Ticket
Doctor’s
Prescription
UAB Office
Building
Access Card
The NFC Cloning Problem
Good readers, Bad tags
Chase Bank
ATM Card
US Bank Credit
Card
Porn Movie
Ticket
Doctor’s
Prescription
UAB Office
Building
Access Card
Relay Attack I: Ghost-and-Leech
Selective Unlocking




Promiscuous reading is to blame
Currently, NFC supports selective
unlocking via PIN/passwords
Works in practice but passwords are
known to have problems especially in
terms of usability
Our approach – gesture-enabled
unlocking
Relay Attack II: Ghost-and-Reader
Variant of a Man-in-the-Middle attack
[Drimer et al., 2007]
Malicious Reader
Server
Authentic Reader
Ghost
Authentication is not Enough


Alice’s device must authenticate the whole
transaction
So Alice’s phone knows that the reader
charges $250



But Alice doesn’t
The big screen on the malicious reader says $5
Even if phone displays the correct amount,
Alice may not look at it

Or make a mistake due to rushing
Our Approach: Proximity Detection

A second line of defense


rather than relying upon the user
Verify phone and reader are in same
location

Each device measures local data with sensor



Send authenticated data to server
Server checks that the data is the same in both
measurements


We use ambient audio
Or at least similar enough
Then approves the transaction
Advantages of our Approach

Does not require explicit user action



Extremely difficult for attacker to change
environnemental attributes
Geographical location not sent to server


Does not change traditional NFC usage model
users’ location privacy is protected (unlike the
use of GPS coordinates)
Compatible with current payment
infrastructure
Implementation and Evaluation

Sensor data collected by two devices in
close proximity


Capture audio from cell phone’s built-in
microphone (two Nokia N97 phones)
Recorded 20 consecutive segments from
two sensors simultaneously at different
pairs of locations

At 5 different locations
Detection Techniques

Techniques based on time, frequency or
both:

In both domains tested:




Euclidean distance between signals
Correlation between signals
Combined method: frequency distance and
time-correlation
Best results achieved for combined timefrequency based method
Time-Frequency Distance Technique

Our new Time-Frequency-based
technique

Calculating distance between two signals:


Calculate Euclidean distance between frequency
feature vectors
Calculate Time-based correlation between
signals


Distance defined as DC = 1 - Correlation
Both distances combined for classification

Combined as a 2-D point in space
Test Results

Time-Frequency distance measure:
Numbers are distance measured squared
Detection Techniques

Used simple classifier to detect samples
taken at the same locations


Simple-Logistics classifier from Weka
10-Fold classification:


Data divided into 10 groups, 9 used for training,
one for testing
Input to the classifier: Time-Frequency
distance measure squared
Results

Our tests showed perfect classification:


False Accept Rate = 0% and False Reject
Rate = 0%
High level of security and usability
Conclusions from Proximity Detection


Designed a defense for the Reader-and-Ghost
attack
Promising defense







without changes to the traditional RFID usage model
without location privacy leakage
also applicable to sensor-equipped RFID cards
Audio is a stronger signal compared to light
More experiments are planned in the future
Paper: ESORICS [Halevi et al.; 2012]
Media Coverage: Bloomberg, ZDNet, NFCNews,
UAB News, etc…
NFC Malware Problem
Youtube video:
http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic
Malware Protection via Gestures





Malware actions are software-generated
Legitimate actions, on the other hand,
are human-generated
Human gestures will tell the OS whether
an access request is benign or malicious
Luckily, for NFC, a gesture that can work
is “tapping”
An explicit gesture could also be
employed
Tap-Wave-Rub (TWR) Gestures

Phone Tapping


Waving/Rubbing/Tapping


accelerometer
proximity sensor
Waving

light sensor
TWR Enhanced Android Permissions
Initial Results
Phone Tapping (accelerometer)
Tap/wave/rub (proximity sensor)
Conclusions from TWR


Initial results are promising
The approach is applicable for protecting
any other critical mobile device service


SMS, phone call, camera access, etc.
TWR gestures are also ideal for selective
unlocking
Take Away from the Talk



NFC is a promising new platform with immense
possibilities
However, a full deployment requires careful assessment of
security vulnerabilities and potential fraudulent activities
Many vulnerabilities similar to RFID



Security solutions need to be developed and integrated
with NFC from scratch



Except Malware – a burgeoning threat to NFC
Other attacks possible – such as phishing via malicious NFC tag
Research shows promise
Phone is almost a computer; so lot could be done (unlike RFID)
User convenience or usability is an important design
metric when developing security solutions
Acknowledgments

Students – the SPIES


Jaret Langston, Babins Shrestha, Tzipora Halevi,
Jonathan Voris, Sai Teja Peddinti, Justin Lin,
Borhan Uddin, Ambarish Karole, Arun Kumar,
Ramnath Prasad, Alexander Gallego
Other Collaborators
More info: http://spies.cis.uab.edu
http://spies.cis.uab.edu/research/rfid-security-and-privacy/