NFC Payments: The Art of Relay and Replay Attacks

Presented at ekoparty 14 (2018), Sept. 28, 2018, 4 p.m. (50 minutes)

Over the past years, digital payment methods have gained an incredible rate of adoption in devices all over the world. Many enterprises, and not only from the banking sector, have started to incorporate NFC support (Near Field Communication) to all kind of devices and apps so as to allow consumers to perform monetary transactions. Some of these companies are protecting themselves by implementing a tokenization as part of digital technology. However, it is well known that it is possible to bypass these restrictions by using simple mechanisms to perform dishonest transactions. Taking all these changes and incorporations in the NFC and banking system, security areas are not ready to protect themselves against the increase of new attacks in this area.

Retransmission and repetition attacks are getting more and more frequent in the paymetnt industry. Getting everyday more complex and sophsticated. Not only are we witnessing simple skimming techniques, but also complex attack vectors born out of the combination between technologies and implementations that include SDR, NFC, APDUs, hardware emulation design, specialized software, tokenization protocols and social engineering.

In this talk, we will discuss what those attacks are, or what kind of hardware or software could be implemented. Furthermore, we will show real scenarios in which these technologies together with RFID emulation could exploit any type of NFC transaction. What´s more, how the same attack methods could exploit new NFC implementations in the next few years.

In this talk, exploitation hardware with demonstrations will be used; the presentation will include SDR communication, RFID emulation, APDU communication, physical and digital cards data extraction.


  • Salvador Mendoza
    Salvador Mendoza is a security researcher focused on tokenization processes, mag-stripe iformation, payment systems and specialized prototypes. Salvador has presented his researches related to payment system security faillures and tokenization processes in international conferences such as Black Hat USA, DEF CON 24/25, DerbyCon, Ekoparty, BugCON, 8dot8, OWASP and Troopers 17/18. Also, Salvador has designed different tools to find faillures in physical and digital payment systems, in which MagSpoofPI, JamSpay, TokenGet, SamyKam and lately BlueSpoof are included.


Similar Presentations: