Report

1
1. Introduction
From the oldest recorded form of currency of livestock in 7000 BC,
transactions have evolved through a vast array of stages, including the
exchange of shell money to more familiar currencies of gold. In more recent
years payment transactions have advanced at an accelerated rate. A major
turning point was in the 1950’s when ‘Diners Club’ released its first charge
card made of cardboard, which had almost 20,000 users (Milner 2012). Eight
years after this, initial versions of American Express and Visa cards were
issued. Through the years, these cards have continuously advanced with
improved authentication and security measures aimed of preventing
fraudulent transactions and keeping customer’s money safe.
We are now currently in the stage a modern-day turning point occurring with
the evolution of mobile payments or m-payments. Every modern person in
society carries three main things in their pocket or handbag; a wallet, a set of
keys and a mobile telephone. With the recent introduction of global
partnerships between pioneering companies such as Google and Nokia is a
fresh wave of technology predicted to advance at a staggering rate. This
technology involves the use of Near Field Communication to replace the
requirement for essential items. With the use of NFC it is now possible to
unlock your home, unlock your car and even pay for items with only one item;
your phone.

2
2. Background
Mobile phone ownership in the previous five years has skyrocketed with 92%
of people in the UK currently in possession of mobile telephones
(mobilemastinfo.com)1. This shows as mobile technology advances at such a
phenomenal rate the vast majority of population are currently on the
technology bandwagon. Leading global companies understand the need to
make payments faster and convenient, as the population begins to leave
physical money and channel into electronic money.
Through marketing, large companies appreciate purchasing to spend rate is
higher when things are easier to purchase. For this reason there is an
increasing interest in near field communication technology from a large variety
of sectors. This interest has led to an estimated rise of 1 in 5 smartphones
having NFC as standard by 2015(juniperresearch.com) 2 and an infrastructure
shift including all POS terminals having NFC transaction capabilities by
October 2015 (Miller, 2012).
However, the most-recent figures published by (Financial Fraud Action UK)
found that there was a 32% increase in phone banking fraud, the largest
percentage increase in the document released. This type of attack occurs when
a ‘criminal fraudulently accesses the victims phone banking account’,
highlighting vulnerabilities in this area. Global leading companies such as eBay
and Apple understand this risk, which is why they are conservative when
endorsing NFC technology with their devices and payment systems (Aurthur
2012).
1.1. Purpose
By carrying out investigations and research the project report will summarize
and deliver findings in seven key areas by applying the Herringbone
methodology (Appendix A). In line with Objective 5 this report will consist of
four areas of analysis including Vulnerability, Threat of attacks, Risk
1
http://mobilemastinfo.com/
2
http://www.juniperresearch.com/reports.php?id=492

3
Assessment, Impact of attack vectors and final conclusion which will discuss
the outcome.
1.2. Stakeholder Relationship
When considering the process of a typical transaction it is important to
understand key business, which contributes to and affects the transaction
process in question. From here we are able to establish the roles, interests and
importance of each entity. Many companies have varied degrees of
responsibility and also varied interests, often creating global partnerships such
as Visa-Samsung and Barclays-Orange to strengthen their business presence.
The following section demonstrates and explains the stakeholder’s interests in
connection with the mobile wallet.
1.3. Stakeholder Architecture
Figure 1: Actors Architecture

4
The several key fields of interest comprise of Retailers, Issuing banks, Payment
processors, Network Carriers, Technology companies, Network Associations
and Mobile manufacturers (Figure 1). The Sector, Roles and Interests table,
(Appendix B) explains the general roles and benefits of each sectors interest in
the technology.
Due to the many entities involved in a typical transaction, should an attack
occur through the use of through NFC the investigation procedure can be long,
complex, difficult to locate. ‘Not all Cheque and Credit Card offences can be
investigated due to their frequency and limitations on Police resources’ (City of
London Police).
1.4. Summary
In summary, we have identified the key fields of interest, the position and roles
they play and their motives for investing into the technology. We have also
established that due to the amount of Actors involved in the contactless
transaction process the amount of police resources required to convict an act
of contactless crime is currently extremely time consuming. More support, co-
operation and collaboration are required to strengthen this type of problem
with just over 60% of people agreeing (Appendix C, Q14).

5
2. Vulnerabilities
A vulnerability is a weakness which allows an attacker to reduce a system's
information assurance. There are three primary areas of vulnerability with the
use of mobile payments.
1. Information as it is transferred from consumer to recipient;
2. Mobile device malicious software and hacking attacks; and
3. Information when a phone is lost or stolen.
This section will analyse the areas of vulnerability in the technology discussing
key areas of weakness which could potentially give rise to an attack.
2.1. Smart card Architecture
MIFARE is a series of chips widely used by NXP. These chips come in many
variants, each type of card having its own unique set of benefits and encryption
levels. Earlier versions of MIFARE cards such as MIFARE Classic could be used
as door entry contactless cards as they are cheap, however, as these cards
were introduced in 1994, they would not serve the purpose in today’s credit-
card transactions, as this type of card has been completely reverse-engineered
by a research group at Radbound University exposing (CRYPTO1)
cryptographic algorithms. (Garcia, 2009 pg2) (Garcia, 2008 pg98)
Many other variants of card have been introduced (NXP3) since the first
MIFARE classic, the most current card introduced in 2012 with triple data
encryption (3DES) protection although successful attacks have also been
carried out on this device by a security consultancy firm Intrepidus
(intrepidusgroup.com) exposing a security vulnerability.
2.2. Secure Element
Part of the process to store sensitive data such as credit card PIN requires a
secure element which is normally located the devices embedded NFC chip
(Vanderhoof,2012) this area allows applications to be isolated from each other
in a secure execution environment where the data can be protected by
cryptographic algorithms. This area can also be located in either the subscriber
3
http://www.nxp.com/products/identification_and_security/smart_card_ics/

6
identity module (SIM) card or the external memory, (Monteiro, 2012). To
access this area from the wallet application to the SE, contact communication
transmission protocol ISO7816 is applied. This is the standard used for contact
smart cards.
NFC and Contactless technology is normally linked together as there is no need
for contact between either of the communicating devices. NFC technology
complies with ISO, ECMA, and ETSI, which are standards giving guidelines and
specifications. These guidelines are ‘used consistently to ensure that materials,
products, processes and services are fit for their purpose’ (iso.org), both NFC
and standard contactless smart cards are based on and compatible with ISO /
IEC 14443 specifications.
Secure Element
ISO 14443 Contactless Card
Anntenna
Figure 2: Diagram of Contactless Card Configuration
2.3. Inductive coupling
Operational distances are subject to the magnetic-field distance, should the
magnetic field from the transponder to the antenna become extreme the
coupling factor will drop out. Figure 4 shows the connection process for a
contactless card being tapped at a POS terminal (Contactless Reader). As we
can see the induction in this instance is the POS terminal which will be
powered by mains or battery. The POS creates a magnetic field which in turn
transmits RF signals to the ISO / IEC 14443 compatible card (target) using
13.57Mz. The energy transmitted from the high-frequency field, induces a
voltage to the target, this is enough to allow the target device (contactless
card) to transmit data from the target to the POS. The data transmitted will
depend on the mode of the device allowing the POS to distinguish which mode
the device is communicating with. To transfer data from reader to

7
transponder, amplitude shift key is used. Form the ‘transfer data from a
transponder back to a reader, load modulation is used’ (Finkenzeller, 2012)
2.4. Active and Passive
The interface normally operates in several modes. If the device generates its
own radio frequency field through a power source, it is called an Active device
whereas if the RF field is generated by another device, it is called Passive
(Haselsteiner 2009). An NFC enabled mobile telephone would be considered
Active, and a contactless card would be considered a Passive device.
Figure 3: Diagram of Inductive Coupling
2.5. Encryption
Contactless cards using the standard ISO/IEC 14443 do not require
cryptography as ‘a security protocol does not exist in this standard’ (Lee, 2013)
however, most credit-card companies do carry out their own measures of
encryption, as with Google Wallet this is normally encrypted in the SE chip (ref
diagram) (Ghag, 2012) nevertheless, Lee states the vulnerabilities will exist in
the wireless part (2013). Notorious hacker and Futurist Holman backs this,
stating there is no encryption as it is possible to access sensitive information
with a simple POS reader (2012).

8
2.6. Application Security
An NFC mobile device will normally contain an RF Antenna and Smart card
chip that hosts secure applications. Various levels of security are applied to
each respective application. These are as follows; No security, Basic security
and Hardened Security which is encrypted and stored in the secure element.
The level of security will depend on the application requirements, for instance,
Facebook’s profile will have no security whereas bank cards will have
encrypted (Vanderhoof, 2012).
Secure Element
Applications
Contactless Reader
Wallet Applications
ISO 14443 Contactless
Communication
ISO 7816 Contact
Communication Transmission
Protocol
Figure 4: Diagram of International Security
2.7. Signalling Technologies
2.7.1 NFC- A (Milner Coding)
The method data is sent depends on the mode of the transmitting device. In
active mode, the data is sent using amplitude shift key (ASK)(Mostafa,2011)
the RF signal (13,56MHz) is modulated according to a coding scheme. If the the
baud rate is 106k baud the Millner Coding is applied, if the baudrate is greater
than 106k baud the Manchester coding scheme applies.
2.7.2 NFC- B (Manchester Coding)
In passive mode the data is sent using weak load modulation where the data is
always encoded using Manchester coding (Haselstiener 2009). From a security
aspect the difference in modulation strength is important to any
eavesdropping attack as the difference in modulation strength will determine
the feasibility of an attack.

9
Figure 5: Diagram of an Amplitude Shift Key
2.8. Summary
In summary, we have established key areas of vulnerabilities in NFC, which
have the potential to give rise to an attack. We have discussed the architecture
establishing the components which form the smartcard and discussed the
similar components in NFC telephones. We have also discovered that MIFARE
Classic has, in fact, been reverse engineered, which determines this encryption
as unsecured.
We have discovered that data from any transaction made is held in a ‘secure
element’, this is either held on the SIM card or external memory. We have then
discovered that the process by which transmissions are made use a process
called inductive coupling to wirelessly link the devices, this operates on the
frequency of 13.57Mz. Through this we have established that there are two
types of mode active and passive, in the instance of payments it can only be in
active mode. This relates directly to the coding method of Milner or
Manchester coding, which gives rise to transmission vulnerabilities. As stated
above the card encryption for MIFARE Classic has been reverse engineered,
however, further to this, we discover that no ISO/IEC 14443 standards are
required as a security protocol does not exist in this area – this means it is the
decision of the application designer to implement this. In the next section, we
will discuss the potential threats which arise from these vulnerabilities.

10
3. Threats
A threat is a possible danger that might exploit a vulnerability to breach
security and thus cause possible harm. This section will give a highlight into
each threat vector followed by a summary of the section and Threat Source
analysis.
3.1. Eavesdropping
When two devices communicate wirelessly via NFC, they use Radio Waves to
communicate between each other. Should a criminal ‘listen-in’ on an NFC
transaction through the Radio frequency signal this would be called
Eavesdropping. As (Kortvedt 2009) demonstrates it is possible to “capture and
demodulate data sent in both directions between NFC devices.”
Although near field communication suggests it is a close proximity technology
it is, in fact possible to intercept from distances as far as 10m (Haselsteiner,
2009). As Kortvedt states ‘radio transmission will always be possible to
eavesdrop at some range’ (2009), realistically this depends on many
conditional parameters (Appendices 1) and more importantly whether the
NFC communication is actually generating its own RF field (active) or by
another device (passive). For this reason it is not possible to derive general
security guidelines.
Figure 6: NFC Eavesdropping

11
One of the reasons why eavesdropping is difficult to combat is due to the
transmitted signals requiring a certain strength to become reliably picked up
by the intended target. Consequently, this means the attacker does not need to
receive full signal strength for an attack to be adequate. Paget explains that it is
possible to eavesdrop slightly out of the band (14MHz) with the use of Ham
band radio equipment as this equipment is easier to attain. Merchant devices
and antennas are restricted in size to accommodate ease of use and to keep the
contact distance in the region of 10cm; however, it is possible for an attacker to
increase the power consumption along with increased antenna to read signals
from a further range (Paget, 2012).
3.2 Relay Attack
‘A relay attack is where the criminal relays information between two legitimate
parties, without them being aware of the relay’. Issovits (2012) demonstrates
this type of attack exploiting mechanisms such as Frame Waiting Time (FWT),
which is the maximum response time for the target to acknowledge the
transmission. The experiment could prove that by using the standard Waiting
Time Extension (WTX) commands could stall the acknowledgement allowing
‘enough time for even very slow or complex relay channels’(Issovits, 2012)
The recent paper published by (Roland, 2012) explores new methods of
relaying data from the secure element enabled phone. By initially combining
exploit code with an application the attacker installs a malicious application
onto the victim’s mobile phone.
To install the application (Verdult, 2011) demonstrates the methods of
attacking an NFC and Bluetooth enabled phone. By using Bluetooth to transmit
the malicious application by means of object exchange (OBEX), the victim is
unaware they are authorizing the installation. As the transfer speeds on
Bluetooth are a lot faster. NFC technology may be used to create the initial
‘handshake’ between devices as its device association speeds are a lot faster in
the transport layer protocol (Ghanname, 2006). This sort of malicious
software could be injected into a genuine tag such a commercial poster, where
the victim would initiate and accept the connection genuinely considering the
tag is legitimate.

12
3.3 Data Corruption and Denial of Service Attack
Data corruption occurs when an attacker corrupts data being sent to a reader
or interface. The attacker disturbs the signal from the reader receiving valid
data rendering the transmitted signals invalid or corrupted to the reader. The
consequence of such an attack could be used in a malicious way to create a
Denial-of-Service attack rendering the communication between initiator and
target inactive. As Haselsteiner states the attacker must have a ‘good un-
derstanding of the modulation scheme and coding’ (2009) to carry this out,
therefore this attack will require a large element of preparation and planning.
3.4 Data Modification
Data modification is very different from corruption, in contrast to corrupting
the data being sent the attacker intends the target to receive some valid data
and acknowledge it. This attack depends on the mode (passive or active) as the
attack using the Manchester Coding is feasible however it is only feasible in
certain parts of the Miller Coding (Haselsteiner,2009).
3.5 Skimming Attack
The ‘skimming ‘attack is a threat that is used to ‘capture a customer’s card
details or fraudsters modifying POS terminal’ intending to capture card data
(visaeurope.com). Once the criminal has access to the sensitive data, the data
can be sold on the black market or used to create a complete cloned bank card.
Paget states ‘contactless skimming is much easier than magstripe ’ skimming
(2012) as the card does not even need to touch the reader. A visible example of
magnetic stripe attacks is shown in (Project Appendix I). As described by
Benninger at the 2012 Shmoo Conference, this current method of attack could
quite easily be adopted to accept NFC signals (2012) with an NFC reader in
replacement of the magnetic strip detector.
3.6 Shop Skimming Attack
Benning continues to describe how it is achievable for an attack using a
compromised POS reader. Emms also creates an experiment using a POS
reader and low cost equipment in whereby demonstrating how the ‘data
capture takes place before card is fully inserted into the terminal’, this is
carried out with no alteration to the intended Chip & PIN transaction (2011).

13
3.7 Man-in-the-Middle-Attack
Man-in-the-middle attacks are carried out by establishing a connection as the
middle man between genuine communications. In the classical MiM attack, two
people want to talk to each other and are tricked into a third party
conversation from an attacker. When this scenario is applied to contactless
transaction, the customer would like to make a payment through a contactless
enabled POS terminal. The attacker picks up the signal from the customer,
acknowledges connection then relays this to the original intended target (POS
terminal). The POS terminal then returns the data through the attacker and
onto the customer. In theory the attacker would then have gathered
information traversing both directions. However as stated by (Haselsteiner,
2009) this attack is difficult to accomplish due to the three devices requiring
close proximity whilst the attacker has to shield direct connection between the
original recipients;
3.8 Physical Theft and Lost Property
Losing possession of NFC mobile or contactless card through theft or loss does
open access to criminal use as the current criteria for authentication does not
require a PIN. Banks such as Barclay`s have introduced £15 payment limits on
contactless payments (Barclays.co.uk) although there is still potential to access
sensitive data through loss or theft as it would be possible for the criminal to
initiate a payment which would then display card information.
3.9 Summary
We have extended from the vulnerabilities, and discovered possible threats
that exist in contactless transactions. By identifying and briefing each threat
area this allows for an assessment of the risks, the following section will assess
the threats and categorize these threats, measuring the risk in order of
importance.

14
4. Risk
“Risk management is the process of identifying vulnerabilities and threats to
the information resources used by an organization in achieving business
objectives, and deciding what countermeasures, if any, to take in reducing risk
to an acceptable level, based on the value of the information resource to the
organization” (ISACA, 2006)4.
Threat analysis identifies the threat level by analyzing key aspects of
Confidentiality, Integrity and Availability and assessing their respective grade
against Capability and Priority. This is used to distinguish which attacks pose
the highest threat. Further details can be found in Appendix D.
Figure 7: Threat Analysis
To assess the overall risk which each threat may cause, a Risk Assessment
Matrix was created to analyse every threat. As shown in Figure 7 we discover
that ATM skimming and mobile telephone scanning have the highest overall
risk rating, whilst data modification and electronic leash/walk off have the
lowest risk. Overall conclusions to these results can be found in Appendix F.
4
www.isaca.org/Pages/default.aspx

15
Figure 8: Risk Assessment
Once identifying and categorising the risks involved with each attack
countermeasures are provided through a Risk Contingency Plan. The purpose
of this plan is to give users and businesses a method of controlling the risk by
one or a combination of four major categories including; eliminate, mitigate,
transfer or accept the risks involved. A further breakdown of this contingency
plan is available at Appendix G.
Figure 9: Response Planning
As we discovered the ATM Skimming has very high risk rating, as a result the
report will test and evaluate this type of attack in the following section.

16
5. Impact - Testing
This section will be separate down into three main segments, an experiment
which will discuss and demonstrate the impact of an attack, a case study
demonstrating the real-life scenario, and a further impact analysis which will
highlight the potential loss to the individual user and also to the financial
industry.
5.1. Experiment (1 of 3) Data Extraction
The purpose of this experiment was first to gain information wirelessly
through the use of budget equipment and then to estimate the potential impact
of an attack. This section of the report will summarize the experiment. A
further in-depth description of the experiment is available in Project, section
6.1.
The results achieved were not expected as the experiment lead into unknown
territories. Although results were not as anticipated, information was
obtainable through the use of budget equipment and open-source software.
The experiment was set up using the following
tools;
 ACR122U.
 Laptop – Windows 7 OS.
 MIFARE 1k card.
 MIFARE 2K card.
 2 x ISO/IEC 14443 Identification cards.
 Open-Source Software.
The results consisted of ATR (Answer-to-Reset)
coding which identifies the card, along with his
included a series of data and string of symbols. The
ATR results were then applied to a parsing phase
Figure 10: NFC Reader

17
which is the process of analyzing a string of symbols (techterms, 2013)5 .
Online software was used to carry this out at (smartcard-atr parsing)6. This
was an attempt to decode this string of symbols, when carrying out this
process the parsing decoded a further series of values, which can be seen in
Figure 10.
Due to widespread popularity in literature and forums the ACR122U reader
was purchased from eBay for £40,
this arrived from Hong Kong in
around 10 days. An average spec
laptop was sourced running
Windows 7 operating system
along with attempts to use
Forensic OS Backtrack r3. As seen
in (Figure 7) the ACR122U was
plugged into the laptop running
Windows 7 operating system.
Four variants of card (Figure 8) were including in the experiment in order to
test and increase the validity of each card and establish the variations in
information obtainable.
Figure 12: ATR code parsing
5
www.techterms.com/definition/parse
6 6
http://smartcard-atr.appspot.com/
Figure 11: Selection of Cards

18
In further attempts to decode and understand the data, similarities in Hex
coding initiated a search for online Hex decoding software. Online decoding
tools were found at (paulschou.net) 7 however no visible results were derived
from this (Figure 11).
Figure 13: Hex decodeing
Figure 14: Bournemouth University ID Information
7
http://home.paulschou.net/tools/xlate/

19
5.2. Experiment (2 of 3) –Ardunio and RFID
Abstract
The purpose of this experiment was to continue from the previous ACR122U
reader and investigate further into the hardware and software components
used. By building the microcontroller components and investigating the coding
aspects, alternative perspective was achieved giving a greater understanding
of the NFC functionality.
Methods and Materials
The experiment was set up using the following tools;
 Ardunio R3 Microcontroller Board
 PN532/NFC Shield (Adafruit)
 Ardunio 1.0.5
 Windows 7 Laptop
 Open-Source Software (gethub.com)
 USB cable
 Temperature Controlled Solder Station
 Lead-free solder dispenser
 MIFARE 1k, 4k and ISO 14443 cards.
Various microcontrollers such as Raspberry Pi are available. However, limited
RFID shields exist. Due to the suitability of the Adafruit PN532 RFID/NFC Shied
this was applied to the experiment.
Once the device arrived from the USA pins were soldered onto the PN532
board to allow the Ardunio microcontroller to accept the PN532 shield. Once
the Ardunio board and PN532 were connected the USB cable was attached to
the laptop. We can see the Ardunio board connected to the PN532 shield, usb
connector and MIFARE card in figure x.
Arduino integrated development environment (IDE) was downloaded directly
from (arduino.cc)8 this provided an interface where it was possible to load the
code onto the microcontroller. An example test was loaded onto the Ardunio
8 http://arduino.cc/en/Main/Software

20
microcontroller to ensure that the board was set up and functioning correctly.
This was a basic flashing light which turned on and off after 1 second. This
worked as required, confirming the board was functioning correctly.
Figure 15: Ardunio Microcontroller
Libraries from open source websites such as (gethub.com)9 were downloaded
adjusted and set up using Ardunio 1.0.5 as we can see in Figure 9. Baud rate
was important as the reader was required to be set at 115200 baud to
effectively read the card.
Figure 16: Ardunio 1.0.5
9 https://github.com/

21
Once the code had been adjusted to the experiments needs, the code was
uploaded to the microcontroller. As displayed in Figure 8 we can see the NFC
shield is waiting to accept an ISO 14443 compatible card.
Figure 17: Experiment 2 Card Data
As displayed above the reader could acknowledge the MIFARE 1k, MIFARE 4K
and ISO 14443 bank card.
Results have been displayed in the diagram above. Although the reader could
accept the card, further analysis is needed to understand the coding and data.

22
5.3. Experiment (3 of 3) – Credit Card Cloning
Penetration Test
Abstract
The purpose of this experiment is to establish if it is in fact possible to clone a
credit/debit card from data obtained from NFC transactions and determine if it
is possible to input obtained credit card information, onto a blank card.
Background
In this stage of the experiment the aim is to create a cloned card from two
sources of information. These will be from magnetic strip and wireless
information. This experiment will assess the feasibility of carrying out such an
attack. A further example of an ATM skimming attack being carried out is
available at Appendix I.
Methods and Materials
 Laptop - Windows 8 OS
 MIFARE cards (including contactless bank cards)
 Blank MIFARE cards
 MSR 605
 MagCard Write/Read Utility Program v2.01
 USB connection
Various types of reader/writers were available. However, as MSR 605 was the
most current released; it was decided to include this version in the experiment.
Blank MIFARE cards were included with the device.
Figure 18: Magnetic Strip Reader

23
The following diagram shows the contactless bank card being swiped onto the
magnetic strip reader, the input can be shown in figure 11.
Figure 19: Credit Card Details
1. Every card starts with the digit B.
2. 16 Digit credit card number.
3. Surname followed by and first name.
4. 16 Digit credit card number.
5. Expiry date
As circled in the diagram above, we have broken down the card information.
To test the validity of the now cloned card the card was tested inside a local
cash machine. The correct PIN was entered into the machine and full access to
the account was available. To prevent releasing any sensitive information, data
was blocked in this report, and disused personal bank account was used.
Figure 13 demonstrates access to the account through the cloned card.

24
5.4. Experiment Results
Experiment (1of 3)
 ACR122U was able to acknowledge all four cards tested with an audible
bleep.
 The results consisted of ATR (Answer-to-Reset) coding which identifies
the card.
 Card information discovered through demo scripting software.
Experiment (2 of 3)
 This experiment could read certain values from all cards placed on the
PN532
 This experiment gave a greater understanding of the components
needed in creating a functioning NFC device.
Experiment (3 of 3)
 This experiment confirms that magnetic strip is extremely vulnerable
to cloning.
 This experiment shows that ATMs only read magnetic strip and not
chip and PIN or contactless functions.
 This experiment confirms that full card details can be cloned through
the magnetic strip.
 Potentially, bank details data acquired through NFC could be cloned
onto the magnetic strip. However this needs further investigation.

25
 Figure 20: Cloned Card inserted into ATM
Results
This experiment was a success in what it aimed to achieve. However the
information obtained wirelessly needs further analysis in understanding the
card architecture.
Once the data was extracted wirelessly, it could in theory be written on to a
blank card magnetic strip (creating a cloned card) and inserted into a cash
machine to withdraw money, or used to make payments online.

26
6. Impact – Case Study
The following case study will demonstrate the threat, vulnerability and
potential impact from this type of attack. A further case study to strengthen
findings has been included at the end of this report (Appendix G).
Situation
 William has finished work for the day and is taking the London
underground back home.
 Its rush hour and the London underground is packed out, there are no
seats available.
 Dennis has also just arrived on the train carrying his mobile telephone
with malicious intentions. He prefers environments which are very
busy and crowded.
Challenge
 Dennis aims to brush past as many people as possible.
 His target is to gain as many contactless details wirelessly as possible
in one day.
Actions
 Dennis has passed by five people, none of which had NFC enabled
phones on contactless cards – he does not receive any bank details.
 Dennis then passes William who is reading the newspaper as his stop is
another ten minutes away.
Results
 Dennis can silently and wirelessly acknowledge the information from
Williams’s card.
 Dennis saves these details and carries on through the carriage; he
steals another 20 details wirelessly before exiting the train.
 When Dennis arrives at his hotel, he uses the details on the Internet to
pay for items, sell the details over the Internet and create a cloned
credit card using devices such as MSR605.
 William has no idea the crime has been carried out and his details are
being circulated.

27
Figure 21: Mobile Scan Attack in Built-up Area (Guardian, 2013)
Summary
An attacker and a victim were on the same train. The attacker wirelessly stole
financial credit card details from the victim. This was achieved without the
victim even realizing the attack had been carried out. The crime took a short
period (less than 10minutes) to carry out and as the victim is completely
unaware of the crime, he is therefore unable to provide any description of the
attacker for any police statement. The attacker has obtained details adequate
in extracting money from the victim’s bank account, be it over the telephone,
online or through the use of a cloned credit card.
Conclusion
This attack is quiet, inconspicuous, and financially detrimental. Vulnerabilities
highlighted should be taken on board by banks and investors in the contactless
system to prevent the problem escalating into serious organised crime scale
situations of fraud. Current recommendations of prevention are discussed in
the section.

28
7. Impact - Analysis
The impact of such an attack described above is potentially detrimental to
parties involved in the banking transactions described in section one. Should
an attacker have the ability to obtain a mere 10 credit card details per month
with a credit limit of £300, for an entire year the attacker would net £36,000.
In 2010 the average daily usage of an ATM was 116 transactions per day
(sevenbank.co.uk)10. Assuming the attacker applies the wireless skimming
techniques described in Appendix G or in Case Study 1, and attacks only one
ATM to pursue a target of £1million in one year, the attacker would require
approximately 10 cards per day with a card limit of £300.
The table below demonstrated the financial impact such an attack could
produce. The table was completed at 600 card details per month which
calculates to 19 credit cards per day.
Daily Impact for One ATM
116 (Average ATM transaction) x £100 (Average withdrawal) = £11,600
Number of Credit
Card Duration
Card Limit
£100
Card Limit
£200
Card Limit
£300
Details Obtained (Months)
1 12 £1,200 £2,400 £3,600
5 12 £6,000 £12,000 £18,000
10 12 £12,000 £24,000 £36,000
25 12 £30,000 £60,000 £90,000
50 12 £60,000 £120,000 £180,000
75 12 £90,000 £180,000 £270,000
100 12 £120,000 £240,000 £360,000
150 12 £180,000 £360,000 £540,000
300 12 £360,000 £720,000 £1,080,000
600 12 £720,000 £1,440,000 £2,160,000
Table 1: Financial Impact Analysis
10
http://www.sevenbank.co.jp/english/ir/library/monthly_trend/pdf/2011051234.pdf

29
8. Discussion
6.1. Information Obtainable
There are two stages in the process of NFC credit card crime. Stage one is
achieving the details through vulnerable use of NFC communication protocols,
and stage two is actually applying the details and effectively carrying out a
transaction. Stage two can be carried out by various methods such as over the
telephone, online and physical card cloning.
Should the information gathered through an NFC attack be limited and
inadequate to carry out a transaction this would render the communication
protocol secure, in this respect. Paget, experienced hacker now working on
Apples OS X security team, states that Track 1 and Track 2 information is
accessible; this includes information such as Customer Name, CVV, Expiry Date
and 16 digit account number (2012). All of this information can be used to
process online orders, create cloned cards or most popularly in today’s climate
‘card-not-present phone banking fraud’ which jumped 32% from 2011(Fraud
the Facts 2012).
6.2. Countermeasures
6.2.1. Laws
Convictions of the nature of offences carried out in such evolving technologies
considered in this report are challenging and time-consuming to the police as
the crimes tend to be ‘difficult to ascertain where the offence originated or
took place’ once the credit card details have been applied to a transaction.
Measures of online detection have improved although many victims are
unaware they have been a victim of crime until the offense has elapsed over a
period of time, with many cases not even being reported. (ons.gov.uk)
The type of crimes applicable to such offenses may fall under the following
Acts;
 Computer Misuse Act 1990
 Data Protection Act 1998
 Fraud Act 2006

30
6.2.2. Wireless Blocking
A handful of companies aware of wireless RFID vulnerabilities such as
(idstronghold.com) 11 who have introduced news product blocking contactless
signals with thin layers of foil embedded into the wallet. The specially adapted
wallets prevent the wireless signals from being read by attacking devices.
Metal foil wallets have been introduced to help reduce fraud in this area.
6.2.3. Biometrics
One method of preventing NFC attacks has been introduced by a company
called TazTag. Tagtaz has understood the vulnerabilities and introduced
measures of biometrics, which stores the user’s fingerprint in the SE. This
introduction is a positive step in preventing attacks as it involves a two-factor
authentication, which combines something you have to something you
are(Corman, 2011).
6.2.4. PRISM Surveillance Program
PRISM is a top secret electronic surveillance program (Guardian, 2013). It is a
program that has been run by the United States making it possible to monitor
information and data between communication devices including emails and
telephone calls. Large global companies such as Microsoft, Yahoo, Google,
Facebook, PalTalk, AOL, Skype, YouTube and Apple have reportedly signed up
to the program which could potentially be used as a method used of obtaining
credit card information for government agencies a lot easier through the use
of mobile telephone transactions opposed to the physical credit card. This
method would not be likely to be applied to low level criminals but more
serious organised crime, however is likely to play in important part in the
future of mobile telephone credit card crime.
6.2.5. Online Detection Methods
Global banks such as The Royal Bank of Scotland process more than 1 billion
transactions a year, (Bolton and Hand, 2002) . When Alowais carried out an
experiment to analyse the relationship between fraudulent transactions, his
experiment took into account six key factors which contribute to a suspicious
transaction (2012). The data analyses included Merchant information, such as
café or sports shop, Time of the transaction, Number of transactions in a single
11
http://www.idstronghold.com/

31
day, Frequency of a transaction, Location of transaction (IP address and home
address), and the transaction Amount. This information is then built up to
create a form of ‘credit score’ allowing the bank to make a decision on
authorising or declining the payment.
To summarise, the use of information stolen from NFC could in theory be used.
However the attacker would need firm knowledge and experience to apply the
attack or may sell the card information on the Internet.

32
9. Conclusion
Previous versions of Magnetic strip authentication have become stressed to
fraudulent activity. Too many fraudulent transactions forced the introduction
of Chip and Pin technology where it is now a very common and preferred
method of payment (Appendix C - Q3/4). With the introduction of future
wireless payments such as NFC mobile payment, the UK is likely to follow the
path of countries such as Japan and USA. Interest in the technology has been
greater, however overinflated estimations could still be predicted increased
popularty than real figures.
By researching the vulnerabilities, we could discover key areas which are
susceptible attack. From here we discovered an array of potential threats and
attack vectors. Researching the vulnerabilities and understanding the threats
created the basis for a detailed risk assessment categorizing the risks in order
of seriousness. When understanding the risks, an analysis of the potential
impact of an attack.
There are clear benefits to the introduction of NFC such as the speed of
transactions, this is a positive feature which benefits all parties involved; the
customer wants quicker payment, the merchant wants to process more
payments faster to serve as many customers as possible and the banks want to
implement a tool which enables this to happen.
As discussed, there are real threats attached with NFC usage, demonstrated by
Kasper, Kortvedt and Mulliner it is possible to carry out an array of attacks on
NFC. Some of these attacks are low level easy to carry out, although some of
these attacks are complex and will require skilled effort and equipment to
complete. Nevertheless, vulnerabilities exist in the current architecture and
will give rise to future attacks, if security is not adequately accounted for. With
that said, valuable research was carried out emphasising the point that users
are aware of such risks including 30% falling victim to fraud (Appendix C -
Q11) showing that users continue to take and accept the risks with 75%
stating they will happily use NFC for payment up to £15 as this is their
preferred method of payment as the risks, are presumed to be very minor.

33
Often new technology comes with uncertain expectations in technology
performance. Products have weaknesses and security vulnerabilities which
may not be completely addressed before release however due to deadlines and
financial reasons these products are pushed into production. Banks should
take note and make customers and users of the system more aware of the
vulnerability issues, allowing its customers to have more trust and become
aware of security flaws, allowing its users to install measures of prevention.
Banks and other large companies fear highlighting vulnerabilities in a NFC will
ultimately have a direct impact on the popularity and progression of the new
system.
It is also down to the user to be aware of possible attacks. However like many
situations users will not become concerned about security unless they become
a victim to a significant situation of fraud. It was intended for this document to
highlight areas of concern by analyzing the Risk, Vulnerability, Threat, Impact,
and Risk and conclude the results in the hope that involved parties will become
more aware of the situation.

34
10. References
Alowais, M. I. and Soon, L., 2012. Experiemental Setup. Third FTRA
International Conference on Mobile, Ubiquitous, and Intelligent Computing,
2012. Available from:
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6305834
[Accessed 7 April 2013].
Aurthur, C, 2012. iPhone 5 shows that Apple still considers NFC as Not For
Commerce. The Guardian, 14 September 2012, Available from:
http://www.guardian.co.uk/technology/2012/sep/14/apple-iphone-5-near-
field-communication-nfc [Accessed 1 April 2013].
Barclays' contactless encounters. Future banking, 1 April 2013, Available from:
http://www.banking-gateway.com/features/featurefba-contactless-payments-
barclaycard [Accessed 1 April 2013].
Bilginer, B, 2011. Near Field Communication. Master’s Thesis in Electrical
Engineering. Lunds Universitet.
Bolton, R and Hand, J, 2002. Introduction. Statistical Fraud Detection: A Review,
17(3), 235-255. Available from:
http://projecteuclid.org/DPubS/Repository/1.0/Disseminate?view=body&id=
pdf_1&handle=euclid.ss/1042727940 [Accessed 7 April 2013].
Miller.C, 2012. Exploring the NFC Attack Surface. Accuvant Labs. Available
from: http://korben.info/wp-
content/uploads/defcon/SpeakerPresentations/Miller/DEFCON-20-Miller-
NFC-Attack-Surface.pdf [Accessed 4 April 2013].
City of London Police, Cheque and Credit Card Fraud Investigation Policy.
London: City of London Police. Available from:
http://www.cityoflondon.police.uk/NR/rdonlyres/C8159B71-92A7-4192-
A6D6-B7679C60CF72/0/ChequeandCreditCardFraudInvestigation.pdf
Corman, P., 2011. Teams With Neurotechnology and TazTag to Demonstrate
High Privacy Two-Factor Security for NFC Applications at Mobile World
Congress. In: Corman, P., ed. Available from:
http://www.taztag.com/TT_Inside_Biometric_MWC.pdf [Accessed 10 April
2013].
Haselsteiner.E and Breitfub. K, Threats. Security in Near Field Communication
(NFC), Available from:
http://ece.wpi.edu/~dchasaki/papers/Security%20in%20NFC.pdf [Accessed
3 February 2013].

35
Financial Fraud Action UK, 2012.Fraud the Facts 2012. London: Financial Fraud
Action UK. BWC 3219 03/12. Available from:
http://www.theukcardsassociation.org.uk/wm_documents/Fraud_The_Facts_
2012.pdf [Accessed 6 April 2013].
Garcia, F. D., Van rossum, P., Verdult, R. and Wichers schreur, R., 2009.
CRYPTO1. Wirelessly Pickpocketing a Mifare Classic Card, 2-9. Available from:
http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf
Garcia, F. D., De koning gans, G., Muijrers, R., Van rossum, P., Verdult, R.,
Wichers schreur, R. and Jacobs, B., 2008. CRYPTO1 Cipher. Dismantling MIFARE
Classic, 97-110. Available from:
http://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf [Accessed
10 April 2013].
Ghag, O, 2012. Embeded Solution.A Comprehensive Study of Google Wallet as an
NFC Application, 58(16), 37-42. Available from:
http://research.ijcaonline.org/volume58/number16/pxc3883825.pdf
Ghanname,T. 2006. How NFC can to speed Bluetooth transactions. EE Times, 14
February 2006, Available from:
http://www.eetimes.com/design/communications-design/4012606/How-
NFC-can-to-speed-Bluetooth-transactions-151-today [Accessed 29 April 2013].
Henning Siitonen Kortvedt and Stig F.Mjolsnes, 2009. The Practical Feasibility
of NFC Eavesdropping. Eavesdropping Near Field Communication, Available
from: www.tapironline.no/last-ned/212 [Accessed 5 February 2013].
ISACA, 2006. CISA Review Manual 2006. USA: ISACA. Available from:
https://www.isaca.org/Pages/default.aspx [Accessed 2 February 2013].
Issovits, W and Hutter, M, 2012. Relay Attacks. Weaknesses of the ISO/IEC
14443 Protocol Regarding Relay Attacks, 338. Available from:
Juniper Research, 2012. NFC Mobile Payments Market Update. Basingstoke,
Hampshire, Juniper Research. Available from:
http://www.juniperresearch.com/reports.php?id=492 [Accessed 10 April
2013].
Lee, Y ,Kim, E and Jung, M, 2013. Security Technology. A NFC based
Authentication method for defense of the Man in the Middle Attack, 10-14.
Available from: http://psrcentre.org/images/extraimages/113113.pdf

36
Milner, B, 2012. A historical look at the origins of the credit card.The Globe and
Mail, 1 April 2013, Available from: http://m.theglobeandmail.com/globe-
investor/personal-finance/a-historical-look-at-the-origins-of-the-credit-
card/article1205463/?service=mobile [Accessed 1 April 2013].
Mobile Operators Association, 2013. latest News. London, Mobile Operator
Association. Available from: http://mobilemastinfo.com/ [Accessed 4 March
2013].
Monteiro, D.M, 2012. Introduction. A Secure NFC Application for Credit Transfer
Among Mobile Phones, [Accessed 3 April 2013].
Mostafa Abd Allah,M, 2011. NFC Operations Modes. Strengths and Weaknesses
of Near Field Communication (NFC) Technology, 11(3), 52. Available from:
computerresearch.org/stpr/index.php/gjcst/article/download/.../524http://c
omputerresearch.org/stpr/index.php/gjcst/index [Accessed 3 April 2013].
Philip E Ross, 2012. Why marketers are cramming digital wallets down our
throats. Phone-y Money, 1. Available from:
http://spectrum.ieee.org/telecom/wireless/phoney-money [Accessed 1 April
2013].
Pablos Holman about hacking RFID credit cards, 2012. Film. Pablos Holman.
USA: YouTube.
Renaud Lifithitz, 2012. Hacking the NFC credit cards for fun and
debit ;). In: Renaud Lifchitz, ed.Hackito Ergo Sum 2012, 12-14, Paris. France:
British Telecom, Available from: http://2012.hackitoergosum.org/blog/wp-
content/uploads/2012/04/HES-2012-rlifchitz-contactless-payments-
insecurity.pdf [Accessed 6 April 2013].
RFID-Handbook, 2012. Active Load Modulation. Germany, Klaus Finkenzeller.
Available from: http://rfid-handbook.de/the-author.html [Accessed 7 April
2013].
Roland,M and Langer J, 2012. New Attack Scenarios. Practical Attack Scenarios
on Secure Element-enabled Mobile Devices, 24. Available from:
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=617
6329 [Accessed 3 April 2013].
ShmooCon 2012: Credit Card Fraud: The Contactless Generation (EN), 2012.
Kirsten Paget. USA: YouTube.
Kasper, T, Oswald, D, Paar, C 2011. Security Threats for Wireless
Devices.Wireless Security Threats: Eavesdropping and Detecting of Active RFIDs
and Remote Controls in the Wild, Available from:
[Accessed 3 March 2013].

37
Vanderhoof, R, 2012. Applying the NFC Secure Element in Mobile Identity
Apps.RSAConference2012, New Jersey:
Verdult, R, 2011. Attacking a Cell Phone. Practical Attacks on NFC Enabled Cell
Phones, Available from:
http://www.cs.ru.nl/~rverdult/Practical_attacks_on_NFC_enabled_cell_phones
-NFC_2011.pdf [Accessed 3 April 2013].

39
Appendix A
Herringbone Methodology

40
Appendix B
Sector, Roles and Interests
Sector Role Interests
Technology
Companies
Provides the technology, stores
banking information in
cloud.(google.com)
Marketing information.
Network
associations
Operate the networks that allow
the merchants to send transactions
to the banks
More transactions though network
association means more profit per
transaction.
Retailers Payment for goods. Customers will have more options for
payment and higher chance of spending
more.
Payment
Processors
Provides electronic point of sale
(EPOS) terminals, support and
maintenance. Electronic payment
acceptance. (firstdata.com)
Financial gains through selling and
upgrading old POS machines with new
NFC chip installed.
Issuing Banks Required to authorises transactions Seen as an innovation player in financial
services (Futurebanking.com).
Faster payments for business
Network
Carriers
authenticating a user on a specific
mobile network and controlling the
services available to that
subscriber.(Infineon)
Encouraged to use mobiles for all uses -
Mobile
Manufactures
Hardware provider. Sell more handsets.

41
Appendix C
Questionnaire Performance Report
Ref
No.
Design Criteria Performance Criteria Design Specification Comments
01 This question was an easy to
answer introductory question
aimed at assessing any
relationship with age.
There will be more younger
people familiar with the
technology and willing to use
new technology
Please state your age in the
bands below?
Question 1 results show that the majority of questioners were actually
in the 20-24 age band
02 This question will analyse if
there is any relation to the
working sector which may
influence their decision on
NFC security.
More people working the IT
sectors will be familiar with
security and the concept of
NFC.
Which sector(s) best suits
you?
Out of all the questioners the results show a mixed variation of subject
areas which is good for this project as it allows views from a wide
varied audience.
03 Designed to analyse which
payment method people
prefer to use.
It is expected that most
people will opt for either cash
or chip and PIN as it is the
most widely available.
Which payment system do
you prefer to use?
This question establishes that Credit and Debit card Chip and PIN is
the preferred type of payment, this shows that users prefer to use
something which is widely available as it is easy to use and a very
familiar method of payment to the majority of the people.
04 This questions is used to
gauge the interest people
have should there be more
access to POS terminals
If the technology was
available people would use
the system more.
If the technology was more
readily available would you
like to replace your
credit/debit card with a
mobile to make payments in
shops?
The answers to this question are surprising as there is almost a 50%
split in the result which means that half of the people would like to
keep old methods of payment however the other 50% would like to
update as new technology is introduced.
05 This is used to analyse the
future perception of NFC
contactless transactions
It is estimated that people are
a little bit unsure about the
future technology as they are
Do you believe NFC
contactless mobile
payments have a place in
The answers to question five establish that over 70% agree that NFC
has a place in the future of electronic payment transactions with more
than 20% completely agreeing. This indicates that there is large

42
not fully aware of its
capabilities.
the future of electronic
payment transactions?
popularity with the technology however people are still very
unfamiliar with the operations of it. People don’t know enough about
the technology.
06 Analysing people’s
perception on contactless
card payment security.
Estimated that people do not
fully understand the security
vulnerabilities
Do you feel CONTACTLESS
credit/debit card payments
are secure?
The answers to this question highlight that people do not really know
about the security of the technology with 30% saying this. There is a
complete varied contrast in views, however the majority is pushing
towards disagreeing that contactless payments are secure with over
40% saying this.
07 Analysing people’s
perception on new mobile
payment contactless card
security.
It is estimated that the
majority of people think it is
secure
Do you feel contactless
MOBILE PHONE payments
are secure?
When analysing the results from question seven it is very clear that
people either don’t know how secure mobile payments are or disagree
and think that they are unsecure. Almost 45% feel that mobile
payments are unsecure. These findings suggest that more effort must
be made to make customers feel that they are using a safe and secure
product before this product will take off in the UK.
08 Analysing where the majority
of people perceive to be a
vulnerable point.
It is estimated that the phone
is constantly vulnerable will
be the top answer.
If you disagreed with the
above question, which point
in the transaction process
do you believe is most
vulnerable?
To support question seven, (N=17, 54%) of people felt that the phone
is continually vulnerable in a transaction process.
09 Analysing what information
the majority see as
information which can be
exposed.
Estimated that credit card
details are the most common
data which can be stolen.
(If you disagree with Q6)
What information/data do
you think could be stolen
from contactless mobile
payment?
Findings from this question highlight that a staggering 82% of people
believe 16 digit credit card numbers is the primary information which
can be stolen, however people also feel that other information can be
acquired through a contactless payment. This shows that people are
not fully aware of what data can be stolen from the payment
transaction.
10 Direct gaugine used to asses if
people understand the
distances involved in a
If people are aware of the
technology they will put
Close proximity payments
operate at a maximum
This question supports the results that the majority of people do not
know about the operating distances of close proximity payments and
shows that if users do not know the operational distances, they could

43
potential attack. 10cm or don’t know. distance of 10cm? become vulnerable to an attack. (N=13, 30% )believe the maximum
operating distance is 10cm, as proven attacks can happen a lot further
than this distance.
11 Direct yes or no analysing the
amount of questionees who
have been victim to fraud
may impact their answers
Estimated that by an
overwhelming result no
victims of fraud.
Have you ever been a victim
of credit/debit card fraud?
The answers to this question were quite surprising as 1/3 of people
(N=14) were victims of fraud. This result was not anticipated to be has
high, although shows that users are aware of the risks however
continue to accept it, possibly for reasons such as ease of use.
12 This is used to asses is people
are content with the new
contactless technology.
Estimated that people are
happy to gradually try new
technology.
Do you feel happy about
making payments through
Near Field Communication?
The results to Q12 are interesting because again over 70% of users
are happy to make small payments and have a misconception that If
they make a small payment of £15 or lower feel happy about this
process, however once a payment has been initiated the payment
process is in place and the payment amount is irrespective. The
benefits to having a transaction cap would restrict the usage of
physical theft of the phone.
13 Used to analyse the
awareness of any threats.
Majority no. Are you aware of any Near
Field Communication
attacks?
This result was expected, the overwhelming majority are not aware of
any attacks on NFC, this continues to show the awareness of the
product is not very good.
14 Finally, this is used to analyse
who is thought to be
responsible for the security
It will be considered that the
majority will go for a
combined effort.
Who would you consider
responsible for maintaining
the security of mobile
payments?
The final question finishes with understanding who the users believe
is responsible for maintaining the security of mobile payments (N=26,
60%) feel it should be a combined effort in securing the process, this
including the second highest with (N=18, 42%) believing the banks
should be responsible.

44
Appendix D
Threat Sources
Threat Sources
Source Name Description
Prope
rty
Capab
ility
Priorit
y
Threa
tLevel
Source of
Influe
ncer
Threa
t
Actor
Eavesdropping Attacker Eavesdropper is interested in C 3 3 Moderate
gaining information through I 3 3 Moderate In-House N N
NFC signals. A 4 3 Moderate
ATM Skimming Attacker Attacker modifies ATM used C 3 3 Moderate
to capture customers details I 4 3 Substantial In-House N N
A 3 3 Moderate
Mobile Phone (NFC) Scan Attacker uses mobile phone with C 3 3 Moderate
Attacker software installed to scan I 4 3 Substantial In-House N N
(See Figure 10) A 4 3 Substantial
Shop Skimming Attack Modified POS terminals used to C 4 2 Moderate
capture customers details. I 3 1 Low In-House N N
A 3 3 Moderate
Device Scanner Attack Attacker has POS device which can C 3 2 Low
pick up victims information I 4 3 Substantial In-House N N
when in close proximity. A 3 3 Moderate
Data Corruption and Data is corrupt when traversing from C 2 3 Low
Denial of Service NFC device to target device. I 3 4 Moderate In-House N N
A 4 2 Moderate
Physical phone theft Phone is physically stolen. C 4 3 Substantial
I 3 3 Moderate In-House N N
A 5 5 Severe
Lost phone No longer possess or retained. C 4 3 Substantial
I 3 3 Moderate In-House N N
A 5 5 Severe
Relay attack / Attacker intercepts and relays C 3 2 Low
Man-in-the-Middle Attack two way communications I 2 1 Negligible In-House N N
A 2 2 Negligible
Data Modification Altered data is sent to the target C 3 3 Moderate
device. I 3 2 Low In-House N N
A 4 2 Moderate
Electronic Leash / Walk off Intentionally opened access to NFC C 4 1 Low
channel remains open once the I 4 1 Low In-House N N
victim has left the vicinity. A 2 4 Low

45
Appendix E
Threat Response Planning
Ref
No.
Threat Name Approach
01 ATM Skimming attack Mitigate – Identify ways to reduce the
impact of the problem. Make ATM`s
less vulnerable to this form of attack -
Increase CCTV, increase training/
awareness for customers.
02 Mobile Phone (NFC) Scan Mitigate – Identify ways to reduce the
probability of the problem. Customer
awareness of attacks, foil case/wallet.
03 Shop Skimming attack Avoid – Eliminate the threat by
eliminating the cause. Ensure all staff
are correctly ID checked when
operating on machines, increase CCTV
surveillance around POS terminal,
train staff, check for visible alterations
to POS terminal.
04 Device scanner attack Mitigate – Identify ways to reduce the
probability of the problem. Customer
05 Data Corruption and Denial of
Service
Mitigate – Identify ways to reduce the
probability of the problem. User
06 Physical phone theft Transfer-Make another party
responsible for risk. Mobile telephone
insurance, id theft insurance.
07 Lost phone Transfer-Make another party
responsible for risk. Mobile telephone
insurance, id theft insurance.
08 Eavesdropping attack Mitigate – Identify ways to reduce the
09 Relay attack / Man-in-the-
Middle attack
10 Malicious application installed
in device
11 Data Modification Avoid - Eliminate the threat by
eliminating the cause - User awareness
of attacks, foil case/wallet.
12 Electronic Leash / Walk off Avoid – Reduce this window of
operations
Accept – Nothing will be done

46
Appendix F
Risk Assessment
Ref
No.
Threat Name Threat Description Vulnerability
Rating
Likelihood
Rating
Impact Overall Risk
rating
Conclusion/ Action Plan
01 ATM Skimming attack Modified ATM used to
capture customers
details.(ref)
Very High Very High Credit card details
stolen. Details used
online, over the phone
or card cloning.
High Equipment is easily attainable
and relatively easy to
implement. Check devices for
any suspicions alterations.
Easier to implement than shop
skimming attack. Cover PIN.
02 Mobile Phone (NFC)
Scan
Attacker uses mobile
phone with software
installed to scan (See
Figure 10)
Very High Very High Credit card details
or NFC mobile cloning.
High Attack is feasible with the
correct software installed on
attacking device. Close
proximity of victims card/NFC
phone is needed. Use foil
wallet and ensure NFC PIN is
active.
03 Shop Skimming attack Modified POS terminals
used to capture customers
details.
Very High High Credit card details
or card cloning.
High This attack could be carried
out by an inside
worker/engineer/temp staff
or by fraudster. Check and
maintain devices regularly for
any suspicions alterations.
04 Device scanner attack Attacker has POS device
which can pick up victims
information when in close
proximity (such as metro
or concert)
High Very High Credit card details
stolen.
High Ensure phone pin code is
activated. Metal foil wallet
prevents signal from
exposure.
05 Data Corruption and
Denial of Service
Data is corrupt when
traversing from NFC
device to target device.
Very High High Prevents transactions
occurring. Loss of
business
High Very easily achievable through
manipul.

47
06 Physical phone theft Phone is physically stolen. Very High Medium 1. Phone used to pay
for items.
2. Credit card details
stolen.
High The likelihood of a theft is
medium as theft could arise
from a loss. Phone should have
PIN and be blocked
immediately
07 Lost phone No longer possess or
retained.
High High 1. Phone used to pay
for items.
2. Credit card details
stolen.
High Phone should have PIN and be
blocked immediately
08 Eavesdropping attack RF signals picked up by
attacker’s antenna.
High High Information/ data
stolen. Credit card
details stolen.
Medium Ensure communication
channels are encrypted. Most
bank applications use their
own encryption therefore this
attack is considered medium
risk.
09 Relay attack / Man-in-
the-Middle attack
Attacker intercepts and
relays two way
communications
Medium Low Commination data is
intercepted without
either party’s
recognition. Credit
card details cloned.
Medium This attack is achievable (ref)
but very hard to carry out
therefore considered medium
risk.
10 Malicious application
installed in device
Malicious Application
installed on victim’s
device. Could be achieved
through undetectable
Bluetooth transmission or
direct access to victim’s
device.
Medium Low Credit card details
stolen.
Medium Attacker must first gain access
to install malicious software
onto victim’s device.
11 Data Modification Altered data is sent to the
target device.
Medium Low Target deceive
acknowledges
modified data as
original without victim
realising there is an
attack occurring.
Low Difficult to achieve the correct
modulation.
12 Electronic Leash /
Walk off
Intentionally opened
access to NFC channel
remains open once the
victim has left the vicinity.
Low Low Credit card details
stolen.
Low NFC functions are protected
by a time out after inactivity,
however this time lapse can be
maliciously extended (ref).

48
Appendices G– ATM Skimming
Previous Insert Slot
Fraudulent Overlay
Keypad
Fraudulent Card
Reader
Pin Hole Camera
Figure I: ATM Skimming

49
Appendix H - Case Study 2
Situation
 Anna is in Marks and Spencer carrying out her weekly shopping.
 She has all the goods she wants and decides to proceed to the checkout.
 At the checkout she has got two credit cards in her purse, a blue card
with contactless feature and red one without contactless.
 Anna has recently been paid into her red account which does not have
contactless functionality; therefore she decides to use this card to make
the payment.
Challenge
 Anna fully inserts her red card into the Chip and PIN terminal
preparing to pay for the goods.
Actions
 In her other had she is holding her blue contactless credit card – The
contactless transaction is wirelessly authorised from this card without
the use of a PIN.
 Anna continues with her chip and Pin transaction as it has already been
initiated.
Results
 Anna is unaware that both of her accounts have been charged with the
same transaction.
 Three months later Anna notices two transactions at Marks and
Spencer’s for exactly the same value at approximately the same period
of time.


50
Summary
A customer intends to make a purchase at a payment terminal however the
payment machine processes two identical amounts instead of the intended
single transaction.
Conclusion
This could be exploited by criminals and used as a spin off for other scenarios.
The likelihood of this happening for fraudulent purposes with a legitimate
merchant is low; however, this is a vulnerability which should be addressed to
prevent negative views on merchants using the contactless system.
Figure 15: Electronic Point of Sale Terminal (Murphy, 2012)

Report

More Related Content

What's hot

Similar to Report

Report