First Contact - Vulnerabilities in Contactless Payments

Presented at Black Hat Asia 2020 Virtual, Oct. 1, 2020, 2:20 p.m. (40 minutes)

Introduced in 2007, contactless (NFC) payments have been used widely for a decade. Accounting for more than 40% of transactions globally, contactless payments are fast replacing cash and CHIP. Yet, contactless makes use of protocols much older than the technology itself. So, how safe and secure are contactless payments?

In this talk we discuss how the EMV protocols and magstripe modes used for contactless are equally flawed. For the first time we show how to bypass the UK £30 limit for contactless payments made using physical cards. Then how to circumvent limits for mobile wallets using locked mobile phones. What's more, we cover flaws in the generation keys values, the unpredictable number (UN) and application transaction counter (ATC). Another first, we perform a pre-play attack using EMV without downgrading to legacy modes.


  • Tim Yunusov - Head of Offensive Security Research, Cyber R&D Lab
    <span>Timur Yunusov is Head of Offensive Security Research in the area of banking security and application security. He regularly speaks at conferences and has previously spoken at CanSecWest, PacSec. DEF CON, Black Hat USA, Black Hat Europe.</span>
  • Leigh-Anne Galloway - Payment Security Researcher, Cyber R&D Lab
    Leigh-Anne Galloway is a Security Researcher who specializes in application and payment security. Leigh-Anne started her career in incident response, leading investigations into payment card data breaches. Which is where she discovered her passion for payment technologies. She has presented and authored research on ATM security, application security and payment technology vulnerabilities. Having previously spoken at DevSecCon, BSides, Hacktivity, 8dot8, OWASP, Troopers, Black Hat USA, and Black Hat Europe. She loves her cat, 8-bit music, and Frida Kahlo.


Similar Presentations: