
How contactless cards are still vulnerable to relay attack - ivank
https://www.benthamsgaze.org/2016/08/02/do-you-know-what-youre-paying-for-how-contactless-cards-are-still-vulnerable-to-relay-attack/
======
honkhonkpants
So many ridiculous hacks upon hacks going on here. There is only ONE WAY to
implement these payment systems and it was known to the designers of the smart
card and related public-key crypto designers 40 years ago: the merchant must
sign the transaction with their key, the user must inspect the signed
transaction on their own trusted device and enter PIN to sign with their
private key, and the whole thing is verified and cleared by the network
operators.

The pile of hacks we have today is just a result of the fact that the networks
don't want to operate the PKI.

~~~
germanier
Or more likely because customers don't want to inspect a transaction on their
own device at the supermarket checkout or even worse a transport fare gate. A
"solution" which takes minutes to perform is not a solution to the real-world
problem.

~~~
honkhonkpants
It's a tradeoff between speed and security. Anyway there's certainly no reason
why minutes need be the case. A contactless smartcard with an integrated e-ink
display and PIN pad would not take anywhere near the amount of time we
currently suffer in the US implementation of chip and PIN.

Edit: fare gate is a special class of problem. I don't expect TfL to be
screwing with me, whereas I may be highly suspicious of the point-of-sale
system down at the corner bodega.

~~~
sjtgraham
Totally unreasonable to implement. How are these cards supposed to run? They
don't have batteries. Even if this was realistic to deploy it would be
prohibitively expensive, far exceeding what it's costing banks to eat the
fraud.

~~~
honkhonkpants
Why? Forget the e-ink for a moment and just use lcd instead. I once had an lcd
calculator (no backlight, of course) that ran for a decade on a lithium
battery. smart cards barely use any energy at all.

~~~
sjtgraham
Things a cheap calculator needs to do:

\- Simple arithmetic on an occasional basis

Things a NFC card implementing the system you describe:

\- Radio

\- Public key crypto

\- ASN.1 DER X.509 parsing to validate the signed transaction from the
terminal. The terminal would need to send a cert chain to the card and the
card follow the chain to the network root to correctly verify the terminal
signature.

\- Parsing OCSP responses, which the terminal would have to staple to its cert
because the card has no other way of knowing the revocation status of the
terminal cert.

\- Conform to ISO 7816 for interoperability with legacy equipment.

\- Fit in a wallet/purse/pocket

\- Be a reasonable cost

~~~
honkhonkpants
I already have a cryptocard that does all that junk just from the RF power it
gets off the terminal.

~~~
sjtgraham
I bet it's not interactive. Interactivity powered by near field RF is
impractical because power is lost when the card is out of range. This would
result in some very awkward UX as users have to hold their card close enough
to the reader for power while they verify the transaction metadata and enter
their PIN.

~~~
viraptor
Check with people who already use this:
[https://newsroom.mastercard.com/press-releases/mastercard-
in...](https://newsroom.mastercard.com/press-releases/mastercard-introduces-
next-generation-display-card-technology-a-first-for-singapore/)

Producer: [https://www.nidsecurity.com/products/solution-
financial.html](https://www.nidsecurity.com/products/solution-financial.html)

------
ar0
I do not think the title corresponds particularly well to the article, as it
focuses on at least something being done: The article details how the new
MasterCard specification for contactless payments requires that payment
terminals time the response of contactless cards to 2ms or less. This would as
I understand it almost eliminate real-world relay attacks: it would exclude
using the Internet to relay data and thus require building sophisticated radio
equipment, all for relatively little gain as contactless payments without PIN
are usually capped to low sums.

The article does point out, though, that this might well be "too little too
late" as the MasterCard specification is only one of many and it will take
years For new cards to actually end up in the hands of consumers. I guess this
is what the title refers too, but I have to admit that at least I was
surprised to learn that something is being done at all about this...

------
prohor
Just add an e-ink display (like this:
[https://plastc.com/](https://plastc.com/)) that shows the transaction value
and a button to approve on card. Only then the card would sign the
transaction. Seems simple.

~~~
drdaeman
It doesn't even have to be a card-shaped anymore, since it's NFC. There are
other form factors that handled real-word payments, like bracelets, watches
and phones. All of those can be easily equipped with a display (enough to show
a transaction amount) and some sort of sensor (keypad, touchscreen, single
"approve" button, fingerprint scanner) to handle user authorization.

This will probably break the "fix" though, as the "card" may take up to tens
of seconds to "respond", awaiting for owner granting permission. And won't
work for stores that can't handle NFC.

~~~
oakwhiz
A device like that could use a 2-phase protocol so that each step of the
transaction is kept under 2ms even if the whole thing takes 10s.

------
Nursie
Contactless cards are vulnerable to some kinds of fraud, fraud in such low
amounts that it's not been worth the effort to actually commit on any great
scale.

Non-chip cards are by far the bigger liability. The levels of fraud on
contactless cards have been so low that the banks put the limit up from £10 to
£30 recently here, and take full liability themselves.

------
drazvan
I've actually used the "attack" in the article to design a P2P Bitcoin
exchange based on the idea of using someone else's contactless card (with
permission) in exchange for Bitcoin. This would solve one of the big issues in
exchanges today - that is the fiat escrow handling.

There's a demo for a quick PoC here
[https://www.youtube.com/watch?v=ZsOzeELdjxM](https://www.youtube.com/watch?v=ZsOzeELdjxM)
. It makes me sad that they're closing this, the fraud potential was really
small (as the article implies).

------
peeters
I'm curious about the example used. They show a fraudulent purchase of $2000.
I know my MC caps the size of the purchase that can use tap for auth
(somewhere under $100). Is the same challenge/response used for both tap and
chip? Otherwise, wouldn't the bank catch that it got a tap response for a
purchase that should've used chip and pin?

Or is this assuming the bank allows a $2000 purchase using only tap?

~~~
dtech
The article is a bit confusing (perhaps deliberately to scare the reader).

The attack is possible on all current electronic chip payment forms
(contacted/contactless, with & without PIN).

For contactless without PIN, transactions are limited (in my country to €25
per transaction and €50 total before a PIN is required). Contactless without
PIN is much easier to attack (for obvious reasons), but cannot break this
limit. Contacted with PIN is fully vulnerable, but also a lot harder to pull
off.

The 600km limit is also highly deceptive, as it doesn't take into account
latency introduced by electronics. E.g. a typical good wifi connection has a
much higher ping than 2ms.

------
deutronium
Even if you use distance bounding protocols, couldn't someone just use one of
those contactless paypal machines, to steal your money directly?

~~~
girvo
If they don't have your pin, they're limited to $100 max.

------
k3nx
would it be too hard to do: send request to bank, bank checks, says it's ok
and returns the amount to withdraw, the card reader already says "is amount
$20.00 ok", just replace that with what the bank said it was authorizing, user
wouldn't have to do anything else, but the real amount would be shown at the
time of transaction not what the card reader was told

~~~
greenshackle
in this attack the card reader is compromised. the attackers can make it
display whatever they want it to.

Edit: For this to work the card itself would have to have it's own display.
Another commenter suggested e-ink.

------
ChuckMcM
EM shielded financial pockets are going to become a deal breaker. While there
are a few wallets and purses today which offer this (harder on a purse since
it makes your phone unusable if stored in it) at some point if your card
holder _doesn 't_ shield it will be considered impractical.

~~~
misterdata
These have existed for a while [1]. I've been using one to make sure that my
business and personal cards aren't both charged in public transport

[1] [https://www.secrid.com/en/](https://www.secrid.com/en/)

~~~
Kubuxu
You don't need an expensive wallet, strip of aluminium foil works as great.

NFC uses magnetic antennas/coupling meaning that shielding from one side is
enough to block signal.

My solution is to laminate strip of aluminium foil in card form factor.

~~~
kalleboo
More on this from Dave Jones at the EEVBlog where he actually tests the
attenuation and visualises on an oscilloscope:
[https://www.youtube.com/watch?v=kp63MZ6RudE](https://www.youtube.com/watch?v=kp63MZ6RudE)

As well as testing an active jammer that's for sale
[https://www.youtube.com/watch?v=rnOuEFR6qoM](https://www.youtube.com/watch?v=rnOuEFR6qoM)

