Book ChapterDOI
Position statement in RFID S&P panel: RFID and the middleman
Ross Anderson
- Vol. 4886, pp 46-49
TLDR
Designing the security protocols to mitigate man-in-the-middle attacks in bank-card payment systems will include most of the hot topics of IT policy over the last ten years as subproblems.Abstract:
Existing bank-card payment systems, such as EMV, have two serious vulnerabilities: the user does not have a trustworthy interface, and the protocols are vulnerable in a number of ways to man-in-the-middle attacks. Moving to RFID payments may, on the one hand, let bank customers use their mobile phones to make payments, which will go a fair way towards fixing the interface problem; on the other hand, protocol vulnerabilities may become worse. By 2011 the NFC vendors hope there will be 500,000,000 NFC-enabled mobile phones in the world. If these devices can act as cards or terminals, can be programmed by their users, and can communicate with each other, then they will provide a platform for deploying all manner of protocol attacks. Designing the security protocols to mitigate such attacks may be difficult. First, it will include most of the hot topics of IT policy over the last ten years (from key escrow through DRM to platform trust and accessory control) as subproblems. Second, the incentives may lead the many players to try to dump the liability on each other, leading to overall system security that is equivalent to the weakest link rather than to sum-of-efforts and is thus suboptimal.read more
Citations
More filters
Book ChapterDOI
Practical NFC peer-to-peer relay attack using mobile phones
TL;DR: In this paper, the authors describe how a relay attack can be implemented against systems using legitimate peer-to-peer NFC communication by developing and installing suitable MIDlets on the attacker's own NFC-enabled mobile phones, and discuss how relay attack countermeasures using device location could be used in the mobile environment.
Journal ArticleDOI
A framework for analyzing RFID distance bounding protocols
TL;DR: A unified framework that aims to improve analysis and design of distance bounding protocols, which includes a thorough terminology about the frauds, adversary and prover, thus disambiguating many misleading terms.
Cloning credit cards: a combined pre-play and downgrade attack on EMV contactless
Michael Roland,Josef Langer +1 more
TL;DR: This paper introduces an attack scenario on EMV contactless payment cards that permits an attacker to create functional clones of a card that contain the necessary credit card data as well as pre-played authorization codes.
Proceedings ArticleDOI
On the power of active relay attacks using custom-made proxies
Thomas Korak,Michael Hutter +1 more
TL;DR: This paper presents several relay attacks on an ISO/IEC 14443-based smart card implementing an AES challenge-response protocol, and proposes a “three-phones-in-the-middle” attack that allows to relay the communication over more than 360 feet (110 meters).
Book ChapterDOI
Mobile Smart Card Reader Using NFC-Enabled Smartphones
TL;DR: The idea of using an NFC-enabled mobile phone as a chip card reader for contactless smart cards enables ubiquitous, secure and convenient two-factor authentication and presents a use case for the German electronic identity card.
References
More filters
Book
Security Engineering: A Guide to Building Dependable Distributed Systems
TL;DR: In almost 600 pages of riveting detail, Ross Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables.
Proceedings ArticleDOI
Why information security is hard - an economic perspective
TL;DR: The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures.
Journal ArticleDOI
Why cryptosystems fail
TL;DR: It turns out that the threat model commonly used by cryptosystem designers was wrong: most frauds were not caused by cryptanalysis or other technical attacks, but by implementation errors and management failures, suggesting that a paradigm shift is overdue in computer security.
Book ChapterDOI
System Reliability and Free Riding
TL;DR: In the context of system reliability, the authors can distinguish three prototype cases: purely voluntary provision of public goods, individuals may tend to shirk, and an inefficient level of the public good.
Book ChapterDOI
Vulnerabilities in first-generation RFID-enabled credit cards
TL;DR: In this article, the authors analyzed the mechanisms that provide both security and privacy using samples from a variety of RFID-enabled credit cards, and observed that the cardholder's name and often credit card number and expiration are leaked in plaintext to unauthenticated readers, their homemade device costing around $150 effectively clones one type of skimmed cards thus providing a proof-of-concept implementation for the RF replay attack.