The Background and Science behind this
Contactless credit card payments using the Near Field Communication (NFC) standard are rapidly becoming a very popular way to pay for goods. It’s not surprising, as it offers a very quick and convenient way of paying for items without having to use cash, or type in your credit card PIN. However, as is most often the case, extreme convenience means there has been some compromise in terms of security. Now, an attacker doesn’t even have to come close to your wallet and can snoop on your card details, make transactions while in range and potentially use your card after that!
The official NFC standard operates at the same frequency of RFID (13.56Mhz) which specifies a maximum operating distance of 1.5m (at 1W TX power) but researchers have achieved much greater distances (up to hundreds of metres) by using more powerful antennas. You therefore may or may not be surprised to hear that one of the ‘security’ mechanisms is the assumption that the device is in close proximity of the reader! This assumption can be abused to carry out relay attacks between the reader and the token, using a rogue device in between (all you need is a mobile phone, an ideal device since it can operate both active and passive mode, as well as interface with other, longer range wireless technologies, such as bluetooth and Wi-Fi).
By snooping on the card details using, for example, an NFC-enabled smartphone and a freely available application, it is possible to re-use the card details to perform larger online transactions on less scrupulous merchants, who sacrifice security for convenience and user experience. It was also found that stolen cards can also be used to perform contactless transactions for days after the card had been cancelled due to the offline nature of many of the lower amount transactions.
Taking money directly from the card using the contactless technology is also possible and the attacker is not necessarily limited to the £30 limit set by the card providers in the UK. Most cards were found to be vulnerable when using dynamic currency conversion where limits would no longer be an issue and transactions up to a theoretical value of 999,999.00 could be performed in the attacker’s currency of choice. Some card providers have since addressed this particular issue but there is no doubt that some may still be vulnerable, as well as the potential for more flaws of the same nature to be lurking undiscovered or unpublished.
Finally, NFC payments piggyback on the same technology that powers Chip & PIN (EMV) but open up a new world of exploitation by abusing the wireless nature of the NFC protocol, as the tamper-detection/proofing that was part of the model is no longer relevant. In the security research community, it has long been known that one of the key security mechanisms of EMV relies on the POS/ATM providing a random number to the card. Most of the time however, these are easily brute-forced offline due to the reduced key-space in which they operated. Over the air, an attacker can connect to your card, guess the next valid sequence number to use, and charge a hefty bill onto your card, all from a certain distance.