First Contact - Vulnerabilities in Contactless Payments

Presented at Black Hat Europe 2019, Dec. 4, 2019, 11 a.m. (50 minutes)

Introduced in 2007, contactless (NFC) payments have been used widely for a decade. Accounting for more than 40% of transactions globally, contactless payments are fast replacing cash and CHIP. Yet, contactless makes use of protocols much older than the technology itself. So, how safe and secure are contactless payments?

In this talk, we discuss how the EMV protocols and magstripe modes used for contactless are equally flawed. For the first time, we show how to bypass the UK £30 limit for contactless payments made using physical cards. Then how to circumvent limits for mobile wallets using locked mobile phones. What's more, we cover flaws in the generation keys values, the unpredictable number (UN) and application transaction counter (ATC). Another first, we perform a pre-play attack using EMV without downgrading to legacy modes.


  • Tim Yunusov - Security Researcher, Positive Technologies
    Tim Yunusov is a Security Expert in the area of banking security and application security. He has authored multiple researches in the field of application security, which include "Apple Pay replay attacks" (Black Hat USA 2017), "7 sins of ATM protection against logical attacks" (PacSec, POC), "Bruteforce of PHPSESSID", "XML Out-Of-Band" (BlackHat EU), and is rated in the Top Ten Web Hacking Techniques by WhiteHat Security. He regular speaks at conferences and has previously spoken at CanSecWest, Black Hat USA, Black Hat Europe, HackInTheBox, Nullcon, NoSuchCon, Hack In Paris, ZeroNights and Positive Hack Days.
  • Leigh-Anne Galloway - Payment Security Researcher, Positive Technologies
    Leigh-Anne Galloway is a Security Researcher who specializes in application and payment security. Leigh-Anne started her career in incident response, leading investigations into payment card data breaches. Which is where she discovered her passion for payment technologies. She has presented and authored research on ATM security, application security and payment technology vulnerabilities. Having previously spoken at DevSecCon, BSides, Hacktivity, 8dot8, OWASP, Troopers and Black Hat USA. She loves her cat, 8-bit music, and Frida Kahlo.


Similar Presentations: