Tap-Tap and Pay (TTP): Preventing The Mafia Attack in NFC Payment

Maryam MehrnezhadFeng HaoSiamak F. Shahandashti

Newcastle university, UKCryptoForma meeting, Belfast4 May 2015Tap-Tap and Pay (TTP):Preventing The Mafia Attack in NFC Payment What is NFC payment? An upcoming technology that uses RFID for contactless payments Holding card in front of readerwithout entering PINUsing an NFC-enabled mobile Google wallet, Apple pay, Android Pay

It is estimated that mobile NFC payment will reach 670 billion US dollars by 2015 (Juniper Research, leading analyst firms in the mobile and digital tech sector).

What is Mafia attack?

Mafia FraudMITM attackRelay attackWormhole AttackGhost and leech attack Reader and ghost attack It is known that NFC payment is vulnerable against Man-In-The-Middle (MITM) attacks. Here, reader-and-ghost attack is of particular concern as a severe type of MITM attack. In this attack, the user consciously initiates an NFC payment with a legitimate-looking terminal (reader) but thereader actually relays data to another NFC payment terminal to pay for something more expensive. As an example, a user may wish to pay for a coffee but unknowingly, her card is abused to pay for an expensive purchase in a jewellery shop. Since the charge displayed on the attacker's NFC reader can be an arbitrary amount, users could be easily deceived without any awareness. For ordinary users, it is difficult, if not impossible, to tell if the NFC reader they deal with is honest or controlled by an attacker. In this work, we focus on tackling the reader-and-ghost attack.

3The idea Observation: as the result of physical tapping between a pair of devices, the tapping creates transient vibrations, which can be measured using embedded accelerometer sensors. To be similar if from the same tapping different if from different tappings By comparing the similarity of the two measurements, we distinguish the Mafia attack from a normal NFC transaction.

Commitment 4TTP overview

5Is it possible?Previous works Other sensor data: GPS, Light, Audio, temperature We DO NOT assume that the attacker's reader is in a different environment as the legitimate reader.

Implementation

Sensor data processing Accelerometer dataSequence of 3 dimensional measurements Vector length to include all dimensions

Derivatives to remove the noise and bring the sequences in the same scale

Sequence alignment Identifying the peaks and cutting the sequence 0.2 seconds before the first peak and after the second peak 0.6 to 1.5 seconds

9

Similarity comparison Correlation coefficient (time domain)Coherence (frequency domain)Energy difference Estimates how strong the users tapthe distance of two signals in term of the total signal energy levelsPeak Gap Difference Roughly estimates how fast the users tapThe difference of the distances of the two extremums in two sequences TTP Decision Engine is a combination of all parameters (weighted sum)

Performance Evaluation Host Card based Emulation in Android 23 volunteer user, Each five times Presented with a Video guide MyMobiler to operate the reader Further analysis in Matlab

Results False negative rate (FNR) Honest transaction fails False positive rate (FPR)Mafia transaction succeeds Equal Error Rate (EER)Where the curves (based on threshold) meet 9.99% 1.1 attempts, honest user 10 attempts, attacker

Usability Study 22 users, Two tasks Presented with a brief Study description Asked to fill a questionnaire Rate (convenience, speed, and feeling of security)Free comments

Findings

Findings Contactless payment is more convenient ... the fact that I need to keep the device close to the reader after tapping made the experience less convenient".TTP is faster Even [though] I had to tap twice, but the process felt faster comparing to the first one. I feel after tapping I automatically bring the phone close enough to the reader, but in first task, my phone was not close for a while and it took longer".TTP feels more secure As before [i.e. task 1] payment is very easy. I like the action of tapping the reader as this made me feel more in control of when the transaction took place. I felt this method [TTP] was more secure due to the action of tapping to start the transaction. This meant I know when the transaction took place".The payment [in task 1] is very easy, but I don't know when the connection between wallet and reader is made; range or time, so I would keep my payment device away from the reader to be sure until I want to pay."

17Conclusion TTP is a simple and effective solution against the Mafia attack and it works when both attackers share the similar environment.Future work:Improving the error rate by using multiple sensors and more accurate ones in newer mobiles How to augment contactless cards with an accelerometer Barclay bPay band

Thanks #Fesenjoonthecat