CprE 537 Eric McAllister

cribabsurdΗλεκτρονική - Συσκευές

27 Νοε 2013 (πριν από 5 χρόνια και 1 μήνα)

225 εμφανίσεις

CprE

537

Eric McAllister

Overview


Introduction


Transaction Process


Credit Card Data


Transaction Protocol


Attacks


Countermeasures


Conclusion


Introduction


Rather than swipe a card through a reader,
RFID
-
enabled credit cards work by being
held in some close proximity to it


Usage has grown from 20
-
55 million cards
circulated worldwide in 2006 to 100 million
in 2012


MasterCard’s
payPass

and Visa’s
PayWave

are the most common


Under $25 purchases don’t require a
signature; similar to many traditional
magnetic stripe swipe transactions

(Source: Greenberg, 2012; Clarke, 2012; Visa,
2008)

Benefits of RFID
-
enabled Cards


Consumer:


Shorter wait times in lines since it’s a quicker
transaction process than handing a card to
someone to swipe


Don’t have to hand your card to a stranger
who could do criminal things with it


Merchant:


Increased number of purchases


Shorter wait times

(Source: Chen,
Tsuei
, 2011)

Transaction Process: Card Data


Credit card magnetic strips have 3 data
tracks


Track 1


Standard of International Air Transport
Association


Used in securing reservations with a credit card
by the airlines


Track 2


Standard of American Banking Association


Commonly used for financial transactions


Track 3


Similar to Tracks 1 and 2 but is rarely used

(Source:
Heydt
-
Benjamin et al., 2006; Acme Tech,
2010)

Card Data: Track 1


Layout:


| SS | FC | PAN | Name | FS | Additional Data | ES |
LRC |


SS = Start Sentinel “%”


FC = Format Code


PAN = Primary Account # (19 digits max)


FS = Field Separator “^”


Name = Cardholder Name (26 alphanumeric
characters max)


Additional Data = Card Expiration Date, offset,
encrypted PIN, etc.


ES = End Sentinel “?”


LRC = Longitudinal Redundancy Check


(Source: Acme Tech, 2010)

Card Data: Track 2


Layout:


|SS | PAN | FS | Additional Data | ES | LRC |


SS = Start Sentinel “;”


PAN = Primary Account # (19 digits max)


FS = Field Separator “=”


Additional Data = Card Expiration Date,
offset, encrypted PIN, etc.


ES = End Sentinel “?”


LRC = Longitudinal Redundancy Check


(Source: Acme Tech, 2010)

Protocol Overview


The customer holds his card within a distance of 10
-
15 centimeters
from the POS (Point of Sale) RFID Reader


The RFID Tag in the card is activated by the RF signals sent by the
Reader


The transaction is authorized without a PIN for transactions under $25;
else the customer needs to enter a PIN at the POS terminal


Once the PIN is entered, a cryptographic matching algorithm verifies
the correctness of the entered PIN


The card sends via an RF signal, the information that would normally
be obtained from the magnetic strip of the card (card number,
expiration date, card holder’s name). This information is sent via plain
text for some banks, while other banks use pseudonyms, transaction
counters, or cryptography to conceal some of this very sensitive
information


The RFID Reader transfers this information to the back end processing
system along with other transaction related information such as
destination account, transaction time, and the transaction amount


The charges are made and the amount is transferred to the merchant
from the card holder’s account

(Source:
Nithyanand
, 2009)

Protocol Detail


The best detail we have comes from a group
that reverse
-
engineered a bunch of cards in
2006, but can’t disclose in
-
depth detail due to
lawsuit potential


Based on the output from their RFID card
reader, they divided the cards into 3 classes,
referenced as Card Type A, B, and C


YouTube video: “Why
MythBusters

Won’t do
RFID”


Conversation with TI, lawyers


Another example of researchers not being able to
disclose their research findings


http://www.youtube.com/watch?v=X034R3yzDhw


(Source:
Heydt
-
Benjamin, et al, 2006)

Protocol Detail: Type A Cards


When the reader is presented with a card
of type “A”, the reader outputs data through
the serial port identical to the data
contained on the magnetic strip of the
same card


When the reader is presented with the
same card, the output is always the same;
there is no evidence, based on the output
of the reader, of a counter, one
-
time
password, or any other mechanism for
replay of attacks


(Source:
Heydt
-
Benjamin, et al, 2006)


Protocol Detail: Type B Cards


The output of card type “B” demonstrates the
presence of a counter, determined to be such
because of monotonic
incrementation

with
successive transactions


Three digits are observed to change with each
transaction in no pattern that was identifiable


Due to the relatively high entropy of the three digits, it is
hypothesized that they are the output of some
cryptographic algorithm that takes the transaction counter
as an input


This is based on the observation that different cards of
type B with the same counter value produce different
codes


It is thought that these digits may be a “replacement” for
the 3
-
digit CVC number typically found on a credit card


(Source:
Heydt
-
Benjamin, et al, 2006)


Protocol Detail: Type C Cards


Cards of type “C” are similar to type B
cards, but with a few important differences


Cards of type C output a unique
transaction code that is 8 digits instead of 3
like type B cards


The transaction counter, located in the
cardholder’s name field, displays only 3
digits instead of 4


A fixed pseudonym is used rather than
sending the embossed card number over
the air


(Source:
Heydt
-
Benjamin, et al, 2006)


Attacks on the Technology


Skimming Attack


Since there is no sort of mutual
authentication in RFID
-
enabled credit cards,
it is possible for anyone with an HF RFID
reader to communicate with the RFID tag on
the credit card, if in range, and get magnetic
strip data such as cardholder’s name, card
number, and expiration date.


This information can then be used to create
a duplicate swipe
-
only card.


(Source:
Nithyanand
, 2009)


Attacks on the Technology


Eavesdropping Attack


Eavesdropping attacks are accomplished by
having a reader record the data that is streamed
between the tag on the RFID
-
enabled credit
card and another legitimate reader.


As in a skimming attack, the attacker now has
the magnetic strip data to create a swipe
-
only
card.


However, unlike a skimming attack, this cannot
be mitigated by protecting the card in some sort
of protective case, because the card must be
removed from such a case to use it for a
transaction.


(Source:
Nithyanand
, 2009)


Attacks on the Technology:
Replay


Unrestricted Replay


A card that always reports the same data
needs to be scanned only once


After that the attacker can replay the
captured data at their will, and the
transaction processing network cannot
detect any difference between a replay and
successive transactions with a the real card.


The cards of type A are susceptible to this
kind of attack.


(Source:
Heydt
-
Benjamin, et al, 2006)


Attacks on the Technology:
Replay


Replay with Race Condition


A card that uses a transaction counter and rolling code
poses more of a challenge to attack if the back
-
end
transaction processing network checks and stores counter
values.


In such a case, once transaction n has been accepted by
the transaction processing network, any transactions
numbered less than n should be declined if ever
presented in any way, shape, or form.


However, this can be defeated if an attacker skims a
transaction from a card, and replays that transaction to the
transaction processing network before the legitimate user
has a chance to use his card, then the network would
accept the attacker’s transactions and could actually
decline the legitimate ones.


(Source:
Heydt
-
Benjamin, et al, 2006)


Attacks on the Technology:
Replay


Counter Rollover


If a transaction counter is the only changing input to a code, then
the number of possible codes is limited by the maximum
transaction counter value. Then we have two cases:


Case 1:

The counter is permitted to roll over, repeating from the
beginning, thus also repeating the codes from the beginning. An
adversary that has sufficient time in proximity to a card can build
a database of all possible counter values and their corresponding
codes, and therefore can mimic all possible behavior of the
targeted card. Type B cards are susceptible to this attack.



Case 2:

The card refuses to engage in additional transactions
once the counter is exhausted. This can lead to a
DoS

attack
against the targeted card if the attacker has the necessary time in
proximity to exhaust the counter by repeated skimming. Type C
cards exhibit this behavior.


(Source:
Heydt
-
Benjamin, et al, 2006)


Attacks on the Technology


Relay Attack


In this attack, the adversary involves a pair working together; a “mole” and a
“proxy”.


The mole possesses a credit card reader emulator with a non
-
RFID radio link to the
proxy’s credit card emulator.

1.
The mole stands or sits down next to the user, and the mole’s device rapidly
discovers the user’s credit card.

2.
The proxy receiving this relayed signal approaches the POS terminal and
initiates a purchase.

3.
The proxy presents his credit card emulator to the POS terminal.

4.
The credit card emulator receives commands from the POS terminal and relays
them to the mole’s device, which transmits the commands to the user’s credit
card.

5.
Likewise, the responses from the user’s credit card are relayed through the
mole’s device and are broadcast from the proxy’s credit card emulator to the
POS terminal.

6.
The purchase should then succeed, and would be charged to the user.


Even if the user’s card technology uses application
-
layer challenges or transaction
counter protocols, this attack would still be successful because the protocol
messages would simply be relayed between the card and reader with all of the
other communicated data in the attack.


(Source:
Heydt
-
Benjamin, et al, 2006)


Attacks on the Technology


Counterfeit and Hacked Terminal Attacks


These attacks require legitimate RFID readers at POS terminals
to be replaced with counterfeit or hacked readers.


These hacked readers would record all RFID communication
received by all interacting cards, also logging keystrokes of the
PIN pad along with a time stamp of the interaction.


The attackers at the end of the day would look up the data
stored in the terminal and note the victim’s name, card number,
and card expiration date.


Since a PIN is required for all purchases over $25, they use the
keystroke log to match up the PIN number entered by the victim.


Again, like in a skimming attack, the information could be used
to create a swipe only version of the card and take it to an ATM
and clean out the victim’s account.


These attacks would be especially easy if there was cooperation
from the retailer as an accomplice to the act.


(Source:
Nithyanand
, 2009)


Attacks on the Technology


Cross
-
contamination Attack


This sort of attack combines any of the other attacks with a
public information search to locate the victim’s address, among
other personal information.


Once the card information is combined with the victim’s address,
and other information, the user can commit fraud by having a
new card mailed, since the victim’s billing address is usually their
mailing address.


Many of the security questions asked by card companies are
easily deciphered using public information.


If the card company requires it to be sent to the billing address,
the attacker could even read a newly
-
issued card through the
mailing envelope, without opening it, using a special reader.


Combining the card data obtained from the reader with the name
and address information on the envelope, and a phone number
from an online directory, the attacker can make online purchases
at retailers that do not require a CVC number to be given.


(Source:
Heydt
-
Benjamin, et al, 2006)


Attacks on the Technology


Privacy Invasion & Tracking


Proven by
Heydt
-
Benjamin’s research team, the
transcripts of their research showed that personally
identifiable information is broadcast in
cleartext

by every
RFID
-
enabled credit card tested, which encompasses
card types A, B, and C enumerated here.



The transaction counter found in some of the cards could
be exploited by the vendor in the following fashion: by
storing the transaction counter, a vendor could tell how
often the card was used to make purchases from other
vendors. Targets that use their cards heavily might be
targeted for specific advertising, by combining the
purchase frequency data with customer data that the
vendor already has in their database, such as name,
address, email, etc.


(Source:
Heydt
-
Benjamin, et al, 2006)


Attacks on the Technology: 2012
Example


In January of 2012, at the
Shmoocon

hacker conference,
well
-
known security researcher, Kristin Paget,
demonstrated on stage how easy it is to take advantage
of the security vulnerabilities of the RFID
-
enabled credit
cards.


Using a
Vivotech

RFID card reader that was purchased
on eBay for $50, that is small enough to fit in a coat
pocket, Paget was able to read a volunteer’s card.


She then used the data that the card reader obtained and
fed it into a $300 card magnetizing tool to encode the data
onto a blank credit card.


Finally, using a Square reader plugged into an
iPhone
,
Paget swiped the newly
-
created card and made a
successful $15 payment to herself, while giving the
volunteer a $20 bill to avoid any charges of fraud.

(Source: Greenberg, 2012)

Attacks on the Technology: Other
Examples


YouTube Video: “How to Hack RFID
-
enabled Credit Cards for $8”


http://www.youtube.com/watch?v=vmajlKJlT3U




YouTube Video: “RFID Scam credit cards
2012”


Similar technique but with a
cellphone

as a
reader


http://www.youtube.com/watch?v=KimImzPLNyI


Countermeasures


Shielding and Blocking


One countermeasure to some cases of relay
attacks and skimming is to find a way to ensure
that the RFID
-
enabled credit cards are not
readable when they are not in use, such as in
the cardholder’s wallet or pocket.


Shielding


A Faraday cage is a physical cover in the form
of a metal sheet or mesh that certain radio
waves cannot penetrate.


Consumers can purchase Faraday cages in the
form of slipcases and wallets to shield unwanted
scanning of their RFID
-
enabled credit cards.


(Source:
Juels
,
Rivest
, &
Szydlo
, 2003)

Countermeasures


Blocking


An RFID blocker tag is a cheap passive RFID device that can simulate
many ordinary tags simultaneously


The blocker tag does not engage in an active form of jamming; By
participating in the tag
-
reading process in a super
-
compliant way it
performs what could be considered “passive jamming”.


A blocker tag simulates the full spectrum of possible serial numbers for
tags, thereby obscuring the serial numbers of other tags.


The blocker tag effectively overwhelms the reading process by forcing it
to sweep the full space of all possible tag identifiers, which is extremely
large, with 2
k
possibilities, k being the fixed bit
-
length of the identifiers;
Usually k=64, 96, or 128.


Whenever the reader queries tags for their next bit value, the blocker tag
simultaneously broadcasts both a ‘0’ bit and a ‘1’ bit; the blocker tag may
require two antennae to do this.


This forced collision drives the reader to explore the entire space.


The net effect is that the blocker tag “blocks” the reading of all tags.


(Source:
Juels
,
Rivest
, &
Szydlo
, 2003)


Countermeasures


Signaling the Cardholder’s Intent


Credit cards themselves could be modified
to activate only after indication of user intent.


A simple push button would serve this
purpose but more sophisticated sensors
might serve the same purpose, such as light
sensors that render cards inactive in the
dark, heat sensors that detect the proximity
of the human hand, or even motion sensors
that detect a telltale “tap
-
and
-
go” trajectory.


(Source:
Juels
,
Rivest
, &
Szydlo
, 2003)


Countermeasures


Better Cryptography


Contactless smart cards capable of robust
cryptography have been available for some
time.


These techniques have already been
implemented in payment card systems in the
EMV (
EuroPay
/
Mastercard
/Visa) standards
commonly used in Europe.


If personally identifiable data can only be
decrypted by authorized readers, then the
danger of many of the privacy invasion attacks
discussed already are mitigated.


(Source:
Juels
,
Rivest
, &
Szydlo
, 2003)


Conclusion


Randy
Vanderhoov
, executive director of the industry
group of the Smart Card Alliance has stated that in 6
years, and 100 million users of the cards, no real
-
world instances of the fraud, like the example by
Kristin Paget, have ever been reported.


The thought is that with the newer cards having the
changing transaction identifier in them that it’s
extremely difficult for an attacker to make a
fraudulent transaction of a card more than once.


However, the counter argument is that it will only
cause an attacker to make fraudulent purchases
from a larger number of targets to monetize the
crime.

(Source: Greenberg, 2012)

References


Heydt
-
Benjamin, Bailey, Fu,
Juels
, O’Hare, Tom. “Vulnerabilities in first
-
generation RFID
-
enabled
credit cards.” 2006.
http://cnfolio.com/public/rfid_credit_cards.pdf

. Web. May 3, 2013.


Greenberg, Andy. “Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes
and Wallets.” Jan. 30, 2012.
http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers
-
demo
-
shows
-
how
-
easily
-
credit
-
cards
-
can
-
be
-
read
-
through
-
clothes
-
and
-
wallets/

. Web. May 3, 2013.


Clarke, Roger. “The Dangers of Contactless Payment: Visa
PayWave

and MasterCard
PayPass

RFID
-
Chip Schemes.” Sept. 12, 2012.
http://www.rogerclarke.com/EC/CPS
-
12.html

. Web. May 3,
2013.


Visa. “Visa
payWave

for Merchants: Frequently Asked Questions.” 2008.
http://usa.visa.com/download/merchants/paywave_merchant_faq.pdf

. Web. May 3, 2013.


Chen,
Tsuei
, Kevin. “Benefits and Security Vulnerabilities of Contactless Card Payment Systems.”
Dec. 11, 2012.
http://www.wib.org/publications__resources/technology__security_digest/dec11/chen.html

. Web.
May 3, 2013.


Acme Technologies. “Magnetic Stripe Track 1, Track 2 Data Description.” 2010.
http://www.acmetech.com/documentation/credit_cards/magstripe_track_format.html

. Web. May 3,
2013.


Nithyanand
,
Rishab
. “Dispelling the Securing Plastic Money Using an RFID Based Protocol Stack.”
2009.
http://eprint.iacr.org/2009/387.pdf

. Web. May 3, 2013.


Juels
,
Rivest
,
Szydlo
, Michael. “Dispelling The Blocker Tag: Selective Blocking of RFID Tags for
Consumer Privacy.” Oct., 2003.
http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/blocker/blocker.pdf

. Web. May 3, 2013.