NFC Payments: The Art of Relay & Replay Attacks

Presented at TROOPERS18 (2018), March 15, 2018, 11:30 a.m. (Unknown duration).

Relay and replay attacks are more prevalent in the payment industry than ever, becoming more complex and sophisticated by the day. We are not just seeing simple skimming techniques but complex attack vectors that are a combination of technologies and implementations involving SDR, NFC, APDU, hardware emulation design, specialized software, tokenization protocols and social engineering.

In this talk we will discuss what exactly relay and replay attacks are, what kind of hardware and software is used. Also we will talk about how anyone already has the hardware necessary to carry out one of these attacks or for $35 dollars someone can create a device to do so. We will show real scenarios where these technologies combined with RFID emulation can be used to exploit any type of NFC transaction. But even worse, how the same attack methods could exploit new NFC implementations for years to come.

In the last few years digital payment methods have had an incredible adoption rate in consumer devices around the world. Many big companies are adding NFC(Near Field Communication) support to all sorts of devices to allow consumers to make monetary transactions. Some of these companies are protecting themselves by implementing tokenization as part of the payment technology. However it is well documented that it is possible to bypass these technologies using simple mechanisms. With all these changes in the NFC ecosystem, the information security field is not well prepared to protect against the increasing new attacks in this area.

Relay and replay attacks are becoming more common in the payment industry. Getting more complex and sophisticated day by day. We are not just seeing simple skimming techniques but complex attack vectors that are a combination of technologies and implementations involving SDR, NFC, APDU, hardware emulation design, specialized software, tokenization protocols and social engineering.

In this talk, we will discuss what these attacks are, or what kind of hardware or software could be implemented. Adding that we will show real scenarios where these technologies combined with RFID emulation could exploit any type of NFC transaction. But even worse, how the same attack methods could exploit new NFC implementations for years to come.

This talk uses exploitation hardware and demos; the presentation will include SDR communication, RFID emulation, APDU communication, extraction of data from physical and digital cards.

Outline

1.- Intro to terminology This section will explain some concepts and details related to RFID/NFC technologies along with EMV transaction framework implementing flow-charts.

2.- What is NFC? This will detail how RFID works and how how it handles the transaction connections. We will explain how the terminal implements the tokens and the process to make the transaction.

3.- Previous Researches and cases from the ‘wild' We will detail previous investigations and the limit of their scopes.

4.- NFC Emulation Emulation is a technique that it is not very well documented. We will explain, in detail how anyone could create a cheap device to emulate a contactless card using a low cost RFID reader; we are showing that for about $35 dollars anyone can carry out NFC emulator for a replay attack, or for $70, anyone could design a NFC proxy for relay attacks.

5.- Replay attacks We will discuss how an RFID can be interchanged between reader mode to emulator mode to perpretate an attack.

6.- Relay attacks We will discuss how two RFID devices share information in real-time to make a relay attack implementing SDR.

7.- Future research opportunities This section will explain how these attacks could be integrated to attack new technologies in the future: for example how NFC technology could be used to open a car door.

8.- Conclusions Implementations of NFC are likely to be affected for years to come. You already have the equipment to start doing this, a mobile phone can be used as a simple sniffer, a $70 device can be created to be carry out a relay attack. EMV and tokenization failings: EMV was implemented as a way to provide strong transaction security. Adoption of contactless (PayWave/PayPass) forms of payment have introduced weaknesses into this technology.


Presenters:

  • Salvador Mendoza
    Salvador Mendoza is a security researcher focusing in tokenization processes, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON 24/25, DerbyCon, Ekoparty, BugCON, Troopers and 8.8. Salvador designed different tools to pentest mag-stripe and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet, SamyKam and lately BlueSpoof.
  • Leigh-Anne Galloway
    Leigh-Anne Galloway is the Cyber Security Resilience Lead at Positive Technologies where she advises organisations on how best to secure their applications and infrastructure against modern threats. She is an expert in the Application Security Unit, specializing in ATM and POS Security and is the author of security research in account recovery processes on social media websites. She has spoken at many conferences including DevSecCon, BSides, InfoSec Europe, IPExpo, Hacktivity, 8dot8 and Blackhat EU.

Links:

Similar Presentations: