First Contact - Vulnerabilities in Contactless Payments
Conference: BlackHat EU 2019
2019-12-04
Summary
The presentation discusses vulnerabilities in contactless payment systems and the potential for fraudulent transactions. The speaker highlights the need for strong customer authentication and reasonable transaction limits.
- PSD2 regulations require strong customer authentication for transactions over 250 euros or more than five transactions
- Cumulative limits can be bypassed, leading to potential fraud
- Mastercard and Visa have different requirements for contactless transactions
- Vulnerabilities exist in both Mastercard and Visa contactless systems
- Reasonable transaction limits can help prevent fraud
- Responsibility for fraud prevention falls on card issuers
- The speaker provides examples of fraudulent transactions and potential attacks on contactless systems
Abstract
Introduced in 2007, contactless (NFC) payments have been used widely for a decade. Accounting for more than 40% of transactions globally, contactless payments are fast replacing cash and CHIP. Yet, contactless makes use of protocols much older than the technology itself. So, how safe and secure are contactless payments? In this talk, we discuss how the EMV protocols and magstripe modes used for contactless are equally flawed. For the first time, we show how to bypass the UK £30 limit for contactless payments made using physical cards. Then how to circumvent limits for mobile wallets using locked mobile phones. What's more, we cover flaws in the generation keys values, the unpredictable number (UN) and application transaction counter (ATC). Another first, we perform a pre-play attack using EMV without downgrading to legacy modes.
Tags: