CprE 537 Eric McAllister Overview Introduction Transaction Process Credit Card Data Transaction Protocol Attacks Countermeasures Conclusion.

• Slide 1

Slide 2 CprE 537 Eric McAllister Slide 3 Overview Introduction Transaction Process Credit Card Data Transaction Protocol Attacks Countermeasures Conclusion Slide 4 Introduction Rather than swipe a card through a reader, RFID-enabled credit cards work by being held in some close proximity to it Usage has grown from 20-55 million cards circulated worldwide in 2006 to 100 million in 2012 MasterCards payPass and Visas PayWave are the most common Under $25 purchases dont require a signature; similar to many traditional magnetic stripe swipe transactions (Source: Greenberg, 2012; Clarke, 2012; Visa, 2008) Slide 5 Benefits of RFID-enabled Cards Consumer: Shorter wait times in lines since its a quicker transaction process than handing a card to someone to swipe Dont have to hand your card to a stranger who could do criminal things with it Merchant: Increased number of purchases Shorter wait times (Source: Chen, Tsuei, 2011) Slide 6 Transaction Process: Card Data Credit card magnetic strips have 3 data tracks Track 1 Standard of International Air Transport Association Used in securing reservations with a credit card by the airlines Track 2 Standard of American Banking Association Commonly used for financial transactions Track 3 Similar to Tracks 1 and 2 but is rarely used (Source: Heydt-Benjamin et al., 2006; Acme Tech, 2010) Slide 7 Card Data: Track 1 Layout: | SS | FC | PAN | Name | FS | Additional Data | ES | LRC | SS = Start Sentinel % FC = Format Code PAN = Primary Account # (19 digits max) FS = Field Separator ^ Name = Cardholder Name (26 alphanumeric characters max) Additional Data = Card Expiration Date, offset, encrypted PIN, etc. ES = End Sentinel ? LRC = Longitudinal Redundancy Check (Source: Acme Tech, 2010) Slide 8 Card Data: Track 2 Layout: |SS | PAN | FS | Additional Data | ES | LRC | SS = Start Sentinel ; PAN = Primary Account # (19 digits max) FS = Field Separator = Additional Data = Card Expiration Date, offset, encrypted PIN, etc. ES = End Sentinel ? LRC = Longitudinal Redundancy Check (Source: Acme Tech, 2010) Slide 9 Protocol Overview The customer holds his card within a distance of 10-15 centimeters from the POS (Point of Sale) RFID Reader The RFID Tag in the card is activated by the RF signals sent by the Reader The transaction is authorized without a PIN for transactions under $25; else the customer needs to enter a PIN at the POS terminal Once the PIN is entered, a cryptographic matching algorithm verifies the correctness of the entered PIN The card sends via an RF signal, the information that would normally be obtained from the magnetic strip of the card (card number, expiration date, card holders name). This information is sent via plain text for some banks, while other banks use pseudonyms, transaction counters, or cryptography to conceal some of this very sensitive information The RFID Reader transfers this information to the back end processing system along with other transaction related information such as destination account, transaction time, and the transaction amount The charges are made and the amount is transferred to the merchant from the card holders account (Source: Nithyanand, 2009) Slide 10 Protocol Detail The best detail we have comes from a group that reverse-engineered a bunch of cards in 2006, but cant disclose in-depth detail due to lawsuit potential Based on the output from their RFID card reader, they divided the cards into 3 classes, referenced as Card Type A, B, and C YouTube video: Why MythBusters Wont do RFID Conversation with TI, lawyers Another example of researchers not being able to disclose their research findings http://www.youtube.com/watch?v=X034R3yzDhw (Source: Heydt-Benjamin, et al, 2006) Slide 11 Protocol Detail: Type A Cards When the reader is presented with a card of type A, the reader outputs data through the serial port identical to the data contained on the magnetic strip of the same card When the reader is presented with the same card, the output is always the same; there is no evidence, based on the output of the reader, of a counter, one-time password, or any other mechanism for replay of attacks (Source: Heydt-Benjamin, et al, 2006) Slide 12 Protocol Detail: Type B Cards The output of card type B demonstrates the presence of a counter, determined to be such because of monotonic incrementation with successive transactions Three digits are observed to change with each transaction in no pattern that was identifiable Due to the relatively high entropy of the three digits, it is hypothesized that they are the output of some cryptographic algorithm that takes the transaction counter as an input This is based on the observation that different cards of type B with the same counter value produce different codes It is thought that these digits may be a replacement for the 3-digit CVC number typically found on a credit card (Source: Heydt-Benjamin, et al, 2006) Slide 13 Protocol Detail: Type C Cards Cards of type C are similar to type B cards, but with a few important differences Cards of type C output a unique transaction code that is 8 digits instead of 3 like type B cards The transaction counter, located in the cardholders name field, displays only 3 digits instead of 4 A fixed pseudonym is used rather than sending the embossed card number over the air (Source: Heydt-Benjamin, et al, 2006) Slide 14 Attacks on the Technology Skimming Attack Since there is no sort of mutual authentication in RFID-enabled credit cards, it is possible for anyone with an HF RFID reader to communicate with the RFID tag on the credit card, if in range, and get magnetic strip data such as cardholders name, card number, and expiration date. This information can then be used to create a duplicate swipe-only card. (Source: Nithyanand, 2009) Slide 15 Attacks on the Technology Eavesdropping Attack Eavesdropping attacks are accomplished by having a reader record the data that is streamed between the tag on the RFID-enabled credit card and another legitimate reader. As in a skimming attack, the attacker now has the magnetic strip data to create a swipe-only card. However, unlike a skimming attack, this cannot be mitigated by protecting the card in some sort of protective case, because the card must be removed from such a case to use it for a transaction. (Source: Nithyanand, 2009) Slide 16 Attacks on the Technology: Replay Unrestricted Replay A card that always reports the same data needs to be scanned only once After that the attacker can replay the captured data at their will, and the transaction processing network cannot detect any difference between a replay and successive transactions with a the real card. The cards of type A are susceptible to this kind of attack. (Source: Heydt-Benjamin, et al, 2006) Slide 17 Attacks on the Technology: Replay Replay with Race Condition A card that uses a transaction counter and rolling code poses more of a challenge to attack if the back-end transaction processing network checks and stores counter values. In such a case, once transaction n has been accepted by the transaction processing network, any transactions numbered less than n should be declined if ever presented in any way, shape, or form. However, this can be defeated if an attacker skims a transaction from a card, and replays that transaction to the transaction processing network before the legitimate user has a chance to use his card, then the network would accept the attackers transactions and could actually decline the legitimate ones. (Source: Heydt-Benjamin, et al, 2006) Slide 18 Attacks on the Technology: Replay Counter Rollover If a transaction counter is the only changing input to a code, then the number of possible codes is limited by the maximum transaction counter value. Then we have two cases: Case 1: The counter is permitted to roll over, repeating from the beginning, thus also repeating the codes from the beginning. An adversary that has sufficient time in proximity to a card can build a database of all possible counter values and their corresponding codes, and therefore can mimic all possible behavior of the targeted card. Type B cards are susceptible to this attack. Case 2: The card refuses to engage in additional transactions once the counter is exhausted. This can lead to a DoS attack against the targeted card if the attacker has the necessary time in proximity to exhaust the counter by repeated skimming. Type C cards exhibit this behavior. (Source: Heydt-Benjamin, et al, 2006) Slide 19 Attacks on the Technology Relay Attack In this attack, the adversary involves a pair working together; a mole and a proxy. The mole possesses a credit card reader emulator with a non-RFID radio link to the proxys credit card emulator. 1. The mole stands or sits down next to the user, and the moles device rapidly discovers the users credit card. 2. The proxy receiving this relayed signal approaches the POS terminal and initiates a purchase. 3. The proxy presents his credit card emulator to the POS terminal. 4. The credit card emulator receives commands from the POS terminal and relays them to the moles device, which transmits the commands to the users credit card. 5. Likewise, the responses from the users credit card are relayed through the moles device and are broadcast from the proxys credit card emulator to the POS terminal. 6. The purchase should then succeed, and would be charged to the user. Even if the users card technology uses application-layer challenges or transaction counter protocols, this attack would still be successful because the protocol messages would simply be relayed between the card and reader with all of the other communicated data in the attack. (Source: Heydt-Benjamin, et al, 2006) Slide 20 Attacks on the Technology Counterfeit and Hacked Terminal Attacks These attacks require legitimate RFID readers at POS terminals to be replaced with counterfeit or hacked readers. These hacked readers would record all RFID communication received by all interacting cards, also logging keystrokes of the PIN pad along with a time stamp of the interaction. The attackers at the end of the day would look up the data stored in the terminal and note the victims name, card number, and card expiration date. Since a PIN is required for all purchases over $25, they use the keystroke log to match up the PIN number entered by the victim. Again, like in a skimming attack, the information could be used to create a swipe only version of the card and take it to an ATM and clean out the victims account. These attacks would be especially easy if there was cooperation from the retailer as an accomplice to the act. (Source: Nithyanand, 2009) Slide 21 Attacks on the Technology Cross-contamination Attack This sort of attack combines any of the other attacks with a public information search to locate the victims address, among other personal information. Once the card information is combined with the victims address, and other information, the user can commit fraud by having a new card mailed, since the victims billing address is usually their mailing address. Many of the security questions asked by card companies are easily deciphered using public information. If the card company requires it to be sent to the billing address, the attacker could even read a newly-issued card through the mailing envelope, without opening it, using a special reader. Combining the card data obtained from the reader with the name and address information on the envelope, and a phone number from an online directory, the attacker can make online purchases at retailers that do not require a CVC number to be given. (Source: Heydt-Benjamin, et al, 2006) Slide 22 Attacks on the Technology Privacy Invasion & Tracking Proven by Heydt-Benjamins research team, the transcripts of their research showed that personally identifiable information is broadcast in cleartext by every RFID-enabled credit card tested, which encompasses card types A, B, and C enumerated here. The transaction counter found in some of the cards could be exploited by the vendor in the following fashion: by storing the transaction counter, a vendor could tell how often the card was used to make purchases from other vendors. Targets that use their cards heavily might be targeted for specific advertising, by combining the purchase frequency data with customer data that the vendor already has in their database, such as name, address, email, etc. (Source: Heydt-Benjamin, et al, 2006) Slide 23 Attacks on the Technology: 2012 Example In January of 2012, at the Shmoocon hacker conference, well-known security researcher, Kristin Paget, demonstrated on stage how easy it is to take advantage of the security vulnerabilities of the RFID-enabled credit cards. Using a Vivotech RFID card reader that was purchased on eBay for $50, that is small enough to fit in a coat pocket, Paget was able to read a volunteers card. She then used the data that the card reader obtained and fed it into a $300 card magnetizing tool to encode the data onto a blank credit card. Finally, using a Square reader plugged into an iPhone, Paget swiped the newly-created card and made a successful $15 payment to herself, while giving the volunteer a $20 bill to avoid any charges of fraud. (Source: Greenberg, 2012) Slide 24 Attacks on the Technology: Other Examples YouTube Video: How to Hack RFID- enabled Credit Cards for $8 http://www.youtube.com/watch?v=vmajlKJlT3U YouTube Video: RFID Scam credit cards 2012 Similar technique but with a cellphone as a reader http://www.youtube.com/watch?v=KimImzPLNyI Slide 25 Countermeasures Shielding and Blocking One countermeasure to some cases of relay attacks and skimming is to find a way to ensure that the RFID-enabled credit cards are not readable when they are not in use, such as in the cardholders wallet or pocket. Shielding A Faraday cage is a physical cover in the form of a metal sheet or mesh that certain radio waves cannot penetrate. Consumers can purchase Faraday cages in the form of slipcases and wallets to shield unwanted scanning of their RFID-enabled credit cards. (Source: Juels, Rivest, & Szydlo, 2003) Slide 26 Countermeasures Blocking An RFID blocker tag is a cheap passive RFID device that can simulate many ordinary tags simultaneously The blocker tag does not engage in an active form of jamming; By participating in the tag-reading process in a super-compliant way it performs what could be considered passive jamming. A blocker tag simulates the full spectrum of possible serial numbers for tags, thereby obscuring the serial numbers of other tags. The blocker tag effectively overwhelms the reading process by forcing it to sweep the full space of all possible tag identifiers, which is extremely large, with 2 k possibilities, k being the fixed bit-length of the identifiers; Usually k=64, 96, or 128. Whenever the reader queries tags for their next bit value, the blocker tag simultaneously broadcasts both a 0 bit and a 1 bit; the blocker tag may require two antennae to do this. This forced collision drives the reader to explore the entire space. The net effect is that the blocker tag blocks the reading of all tags. (Source: Juels, Rivest, & Szydlo, 2003) Slide 27 Countermeasures Signaling the Cardholders Intent Credit cards themselves could be modified to activate only after indication of user intent. A simple push button would serve this purpose but more sophisticated sensors might serve the same purpose, such as light sensors that render cards inactive in the dark, heat sensors that detect the proximity of the human hand, or even motion sensors that detect a telltale tap-and-go trajectory. (Source: Juels, Rivest, & Szydlo, 2003) Slide 28 Countermeasures Better Cryptography Contactless smart cards capable of robust cryptography have been available for some time. These techniques have already been implemented in payment card systems in the EMV (EuroPay/Mastercard/Visa) standards commonly used in Europe. If personally identifiable data can only be decrypted by authorized readers, then the danger of many of the privacy invasion attacks discussed already are mitigated. (Source: Juels, Rivest, & Szydlo, 2003) Slide 29 Conclusion Randy Vanderhoov, executive director of the industry group of the Smart Card Alliance has stated that in 6 years, and 100 million users of the cards, no real- world instances of the fraud, like the example by Kristin Paget, have ever been reported. The thought is that with the newer cards having the changing transaction identifier in them that its extremely difficult for an attacker to make a fraudulent transaction of a card more than once. However, the counter argument is that it will only cause an attacker to make fraudulent purchases from a larger number of targets to monetize the crime. (Source: Greenberg, 2012) Slide 30 References Heydt-Benjamin, Bailey, Fu, Juels, OHare, Tom. Vulnerabilities in first-generation RFID-enabled credit cards. 2006. http://cnfolio.com/public/rfid_credit_cards.pdf. Web. May 3, 2013.http://cnfolio.com/public/rfid_credit_cards.pdf Greenberg, Andy. Hackers Demo Shows How Easily Credit Cards Can Be Read Through Clothes and Wallets. Jan. 30, 2012. http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo- shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/. Web. May 3, 2013.http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo- shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/ Clarke, Roger. The Dangers of Contactless Payment: Visa PayWave and MasterCard PayPass RFID-Chip Schemes. Sept. 12, 2012. http://www.rogerclarke.com/EC/CPS-12.html. Web. May 3, 2013.http://www.rogerclarke.com/EC/CPS-12.html Visa. Visa payWave for Merchants: Frequently Asked Questions. 2008. http://usa.visa.com/download/merchants/paywave_merchant_faq.pdf. Web. May 3, 2013. http://usa.visa.com/download/merchants/paywave_merchant_faq.pdf Chen, Tsuei, Kevin. Benefits and Security Vulnerabilities of Contactless Card Payment Systems. Dec. 11, 2012. http://www.wib.org/publications__resources/technology__security_digest/dec11/chen.html. Web. May 3, 2013. http://www.wib.org/publications__resources/technology__security_digest/dec11/chen.html Acme Technologies. Magnetic Stripe Track 1, Track 2 Data Description. 2010. http://www.acmetech.com/documentation/credit_cards/magstripe_track_format.html. Web. May 3, 2013. http://www.acmetech.com/documentation/credit_cards/magstripe_track_format.html Nithyanand, Rishab. Dispelling the Securing Plastic Money Using an RFID Based Protocol Stack. 2009. http://eprint.iacr.org/2009/387.pdf. Web. May 3, 2013.http://eprint.iacr.org/2009/387.pdf Juels, Rivest, Szydlo, Michael. Dispelling The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. Oct., 2003. http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/blocker/blocker.pdf. Web. May 3, 2013. http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/blocker/blocker.pdf