Dennis Giese,Kevin Liu,Michael Sun,Tahin Syed,Linda Zhang

DOI: https://doi.org/10.48550/arXiv.1904.10623

2019-04-24

Abstract:Near-Field Communication (NFC) is a modern technology for short range communication with a variety of applications ranging from physical access control to contactless payments. These applications are often heralded as being more secure, as they require close physical proximity and do not involve Wi-Fi or mobile networks. However, these systems are still vulnerable to security attacks at the time of transaction, as they require little to no additional authentication from the user's end. In this paper, we propose a method to attack mobile-based NFC payment methods and make payments at locations far away from where the attack occurs. We evaluate our methods on our personal Apple and Google Pay accounts and demonstrate two successful attacks on these NFC payment systems.

Cryptography and Security

Kui Ren,Qian Wang,Di Ma,Xiaohua Jia

DOI: https://doi.org/10.1109/mwc.2014.7000983

IF: 12.777

2014-01-01

IEEE Wireless Communications

Abstract:As an emerging advanced short-range communication technology, near field communication (NFC) is undergoing a fast rate of expansion with many promising benefits including low power, small size, and peer-to-peer communication, without incurring complex network configuration overhead. However, current NFC technologies suffer from one practical limitation: almost all NFC-enabled applications require built-in NFC chipsets, and as a result such low levels of penetration of NFC hardware has stymied its applications on most mobile devices in the market, for example, smartphone and tablet platforms. In addition, from the security perspective the confidentiality of the transmitted data has not been satisfactorily addressed by current NFC technologies, which do not incorporate any security at the physical or MAC layers by assuming that the extremely short range of communication itself has offered a degree of protection physically.Therefore, great interest has been aroused in the practicality and security enhancement of NFC technologies. In this article we discuss alternative NFC technologies, with an emphasis on barcode-based NFC and acoustics-based NFC, which are compatible with legacy devices and existing infrastructure and can provide a high level of security guarantee. Following a brief overview of barcode-based and acoustics-based short-range communications respectively, for each technology we present the major technical hurdles to be overcome and the state-of-the-art, and finally offer a vision of the future research issues on these two promising technologies.

Fan Dang,Pengfei Zhou,Zhenhua Li,Yunhao Liu

DOI: https://doi.org/10.1109/infcomw.2017.8116391

2017-01-01

Abstract:Automated fare collection (AFC) systems have been widely applied to practical transportation due to their convenience. Although there are many potential threats of NFC such as eavesdropping, data modification, and relay attacks, NFC based AFC systems are considered secure, due to the limited 10cm communication distance. Nevertheless, the proliferation of NFC-equipped mobile phones make such system venerable. We introduce and implement an attack on AFC cards that permits an attacker to top up his smart card and get a refund. We also propose possible countermeasures to defend against these attacks.

Iakovos Gurulian,Carlton Shepherd,Konstantinos Markantonakis,Raja Naeem Akram,Keith Mayes

DOI: https://doi.org/10.48550/arXiv.1605.00425

2016-05-02

Cryptography and Security

Abstract:Over the past decade, smartphones have become the point of convergence for many applications and services. There is a growing trend in which traditional smart-card based services like banking, transport and access control are being provisioned through smartphones. Smartphones with Near Field Communication (NFC) capability can emulate a contactless smart card; popular examples of such services include Google Pay and Apple Pay. Similar to contactless smart cards, NFC-based smartphone transactions are susceptible to relay attacks. For contactless smart cards, distance-bounding protocols are proposed to counter such attacks; for NFC-based smartphone transactions, ambient sensors have been proposed as potential countermeasures. In this study, we have empirically evaluated the suitability of ambient sensors as a proximity detection mechanism for contactless transactions. To provide a comprehensive analysis, we also collected relay attack data to ascertain whether ambient sensors are able to thwart such attacks effectively. We initially evaluated 17 sensors before selecting 7 sensors for in-depth analysis based on their effectiveness as potential proximity detection mechanisms within the constraints of a contactless transaction scenario. Each sensor was used to record 1000 legitimate and relay (illegitimate) contactless transactions at four different physical locations. The analysis of these transactions provides an empirical foundation on which to determine whether ambient sensors provide a strong proximity detection mechanism for security-sensitive applications like banking, transport and high-security access control.

Zhiguang Qin

2007-01-01

Abstract:This paper analyzes the international standard of Near Field Communication (NFC). Authors survey the developing history of the technology; describe the current status, as well as point out the tendency of them. The model in commercial environment and the problems of application development are analyzed. Security has become an important factor in application. So authors also discuss the security problems from link level and application level. This paper analyses the existing problems and the goal of further developments.

Shaik Shakeel Ahamad

DOI: https://doi.org/10.1109/access.2021.3139065

IF: 3.9

2022-01-01

IEEE Access

Abstract:The unprecedented growth of mobile applications promoted the usage of these mobile applications for payments. The current research works in mobile payments and commerce are prone to reverse-engineering attacks and lacked transport layer protection, so these research works do not ensure security. Therefore, such attacks on Mobile Payment Applications (MPA) will be successful, which leads to severe financial loss. To address these issues, we propose a secure framework incorporating a defense-in-depth approach for Near Field Communication (NFC) based mobile payment frameworks. Our defense-in-depth approach has three levels, i.e., Defense at hardware, mobile application, and communication level. We have proposed a NFC based Secure Protocol for Mobile Transaction (NSPMT) protocol and successfully verified a mobile payment protocol with BAN (Burrows, Abadi, and Needham) logic and Scyther tool, and our proposed protocol overcome multi-protocol attack, RAM (Random Access Memory) scrapping attack, DOS (Denial Of Service), DDOS (Distributed Denial Of Service), and Phlashing attacks. Our proposed mobile Payment system overcomes the known mobile application vulnerabilities, including Heartbleed and ROBOT (Return Of Bleichenbacher’s Oracle Threat). Our proposed protocol ensures all the security properties and the energy and communication cost and computational cost are far less than the existing works in the literature. Finally, we have successfully implemented our protocol using kotlin language in Android Studio, with two Mobile Payment Applications (MPA) and POS Payment Application (PPA), Elliptic Curve Digital Signature Algorithm (ECDSA) is used and Advanced Encryption Standard (AES) with GCM (Galois/Counter Mode) mode is used for encryption and decryption of Customer Payment Data at MPA and PPA.

computer science, information systems,telecommunications,engineering, electrical & electronic

Konstantinos Markantonakis,Julia A. Meister,Iakovos Gurulian,Carlton Shepherd,Raja Naeem Akram,Sarah Hani Abu Ghazalah,Mumraiz Kasi,Damien Sauveron,Gerhard Hancke

DOI: https://doi.org/10.1109/access.2024.3479729

IF: 3.9

2024-10-25

IEEE Access

Abstract:Near-Field Communication (NFC) has enabled mobile devices to emulate contactless smart cards, which has also rendered them susceptible to relay attacks. Numerous countermeasures have been proposed that use ambient sensors as an anti-relay mechanism. However, there are concerns regarding their efficacy in time-critical scenarios, such as transport ticketing and contactless payments. This paper empirically and comprehensively evaluates whether ambient sensors are an effective anti-relay mechanism for such NFC-based contactless transactions. To this end, we examine 17 sensors available via the Android platform. Each sensor, where feasible, was used to record measurements in 1,000 contactless transactions with 252 users across four physical locations. We then conduct an extensive four-part evaluation using similarity metrics, traditional machine learning models, and deep learning methods used in existing work and beyond. We conclude that mobile ambient sensors are currently unsuitable for detecting relay attacks on NFC contactless transactions under realistic timing constraints, contrary to the suggestions and proposals made in existing work.

computer science, information systems,telecommunications,engineering, electrical & electronic

Luciano Gavoni

DOI: https://doi.org/10.48550/arXiv.2110.00094

2021-10-01

Abstract:Radio Frequency Identification (RFID) systems are among the most widespread computing technologies with technical potential and profitable opportunities in numerous applications worldwide. Further, RFID is the core technology behind the Internet of Things (IoT), which can accomplish the real-time transmission of information between objects without manual operation. However, RFID security has been taken for granted for several years, causing multiple vulnerabilities that can even damage human functionalities. The latest ISO/IEC 18000-63:2015 standard concerning RFID dates to 2015, and much freedom has been given to manufacturers responsible for making their devices secure. The lack of a substantial standard for devices that implement RFID technology creates many vulnerabilities that expose end-users to elevated risk. Hence, this paper gives the reader a clear overview of the technology, and it analyzes 23 well-known RFID attacks such as Reverse Engineering, Buffer Overflow, Eavesdropping, and Malware. Moreover, given the exceptional capabilities and utilities of RFID devices, this paper has focused on security measures and defenses for protecting them, such as Active Jamming, Shielding tag, and Authentication.

Cryptography and Security

Seung-Su Yang,Young-Hwan Jang,Min-Hyung Park,Seok-Cheon Park,Hyung-Joon Kim

DOI: https://doi.org/10.1007/s11277-021-08139-2

IF: 2.017

2021-02-09

Wireless Personal Communications

Abstract:NFC (Near Field Communication) is widely used in day-to-day applications such as in credit cards and smartphones. thus, RFID (Radio Frequency Identification) is being replaced by NFC in many applications. However, the access control system operates on RFID. The existing RFID-based access control systems provide only passive communication, and the authentication process is fragile and vulnerable to malicious hacking because the user information is stored by the reader. Therefore, in this study, we designed and implemented an access control system that uses the NFC-based active authentication technique. To evaluate the system implemented in this study, we performed comparison analysis with the existing NFC security authentication protocols based on whether they provided mutual authentication and whether they could respond to major security threats. The evaluation results showed that the proposed protocol normally supported mutual authentication functions between NFC devices, and ensured secure wireless communications by tackling major security threats that might occur in NFC security authentication protocols.

telecommunications

Ikuesan R. Adeyemi,Norafida Bt. Ithnin

DOI: https://doi.org/10.48550/arXiv.1210.1647

2012-10-05

Abstract:Security and Privacy concerns in Radio frequency identification (RFID) technology particularly RFID Card, is a wide research area which have attracted researchers for over a decade. Authenticating users at the Card end of the RFID technology constitutes one of the major sources of attacks on the system. In this research, we studied the various known attacks and mitigation available. We proposed a conceptual framework that that can be used to mitigate the unauthorized use of RFID Card. This concept will mitigate the single point of the RFID card failure: unauthorized use.

Cryptography and Security

Chalee Thammarat

DOI: https://doi.org/10.3390/sym12101649

2020-10-09

Symmetry

Abstract:The standard protocol of near field communication (NFC) has concentrated primarily on the speed of communication while ignoring security properties. Message between an NFC-enabled smartphone and a point of sale are exchanged over the air (OTA), which is a message considered an authentication request for payment, billing, ticketing, loyalty services, identification or access control. An attacker who has an antenna can intercept or manipulate the exchanged messages to take advantage of these. In order to solve this problem, many researchers have suggested authentication methods for NFC communications. However, these remain inadequate transaction security and fairness. In this paper, we will propose a technique that ensures mutual authentication, security properties, and strong fairness. Mutual authentication is a security property that prevents replay attacks and man-in-the-middle attacks. Both fair exchange and transaction security are also significant issues in electronic transactions with regards to creating trust among the parties participating in the transaction. The suggested protocol deploys a secure offline session key generation technique to increase transaction security and, importantly, make our protocol lightweight while maintaining the fairness property. Our analysis suggests that our protocol is more effective than others regarding transaction security, fairness, and lightweight protocol. The proposed protocol checks robustness and soundness using Burrows, Abadi and Needham (BAN) logic, the Scyther tool, and automated validation of internet security protocols and applications (AVISPA) that provide formal proofs for security protocols. Furthermore, our protocol can resolve disputes in case one party misbehaves.

Zhao Wang,Zhigang Xu,Wei Xin,Zhong Chen

DOI: https://doi.org/10.1109/imccc.2012.40

2012-01-01

Abstract:NFC(near field communication) technology is a kind of technology to provide close RFID communication channel on mobile devices. Peer-to-Peer applications based on mobile equipment rely on NFC. The NFC system is facing a security problem that it is susceptible to a relay attack. This paper discusses the realization of relay attack on a legitimate peer-to-peer NFC. The attackers use mobile phones with the NFC function of the Android platform, and install the programs on the mobile phones, can finish the attack. While these attack programs only need to call the public NFC protocol API, without illegal intrusion to device memory. On this foundation, how the existing NFC protocol to avoid the above attack is discussed.

Xiuqing Chen,Tianjie Cao,Robin Doss,Jingxuan Zhai

DOI: https://doi.org/10.1007/s11277-017-4449-z

IF: 2.017

2017-01-01

Wireless Personal Communications

Abstract:Radio Frequency Identification (RFID) technology is expected to play a key role in the Internet of Things (IoT) and has applications in a wide variety of domains ranging from automation to healthcare systems. Therefore, the security and privacy of RFID communication is critical. In this paper, we analyze two recent RFID protocols proposed by researchers. Specifically we show that the ownership transfer protocol proposed by Wang et al., is vulnerable to tracing attacks while the mutual authentication protocol proposed by Cho et al. is vulnerable to key disclosure and backward traceable attacks. We propose secure improvements to these protocols to address the vulnerabilities, and improve the scalability of these schemes making them suitable for large-scale deployments.

Kai Fan,Panfei Song,Zhao Du,Haojin Zhu,Hui Li,Yintang Yang,Xinghua Li,Chao Yang

DOI: https://doi.org/10.1007/978-3-319-42836-9_11

2016-01-01

Abstract:As one of the most important techniques in IoT, NFC (Near Field Communication) is more interested than ever. NFC is a short-range, high-frequency communication technology well suited for electronic tickets, micro-payment and access control function, which is widely used in the financial industry, traffic transport, road ban control and other fields. However, NFC is becoming increasingly popular in the relevant field, but its secure problems, such as man-in-the-middle-attack, brute force attack and so on, have hindered its further development. To address the security problems and specific application scenarios, we propose a NFC mobile electronic ticket secure payment and verification scheme in the paper. The proposed scheme uses a CS E-Ticket and offline session key generation and distribution technology to prevent major attacks and increase the security of NFC. As a result, the proposed scheme can not only be a good alternative to mobile e-ticket system but also be used in many NFC fields. Furthermore, compared with other existing schemes, the proposed scheme provides a higher security.

Steffen Klee,Alexandros Roussos,Max Maass,Matthias Hollick

DOI: https://doi.org/10.48550/arXiv.2008.03913

2020-08-10

Abstract:Near-Field Communication (NFC) is being used in a variety of security-critical applications, from access control to payment systems. However, NFC protocol analysis typically requires expensive or conspicuous dedicated hardware, or is severely limited on smartphones. In 2015, the NFCGate proof of concept aimed at solving this issue by providing capabilities for NFC analysis employing off-the-shelf Android smartphones. In this paper, we present an extended and improved NFC toolkit based on the functionally limited original open-source codebase. With in-flight traffic analysis and modification, relay, and replay features this toolkit turns an off-the-shelf smartphone into a powerful NFC research tool. To support the development of countermeasures against relay attacks, we investigate the latency incurred by NFCGate in different configurations. Our newly implemented features and improvements enable the case study of an award-winning, enterprise-level NFC lock from a well-known European lock vendor, which would otherwise require dedicated hardware. The analysis of the lock reveals several security issues, which were disclosed to the vendor.

Cryptography and Security

Vinod Kumar,Rakesh Kumar Jha,Sanjeev Jain

DOI: https://doi.org/10.1007/s11277-020-07346-7

IF: 2.017

2020-04-15

Wireless Personal Communications

Abstract:In the past few years, the term Internet of Things (IoT) has become very prevalent. In IoT, aggregation of data (from sensors) to processing the data (to the cloud) is energy constraint. To address this challenge, Narrowband- Internet of Things (NB-IoT) is becoming a popular choice for smart devices manufacturer due to its characteristics of high energy-efficient and long battery life. Researchers and academia have addressed the problem related to energy constraints, but it opens the door for security issues related to NB-IoT devices. In this paper, we have done a survey closely related to security issues related to NB-IoT technologies like RFID, WSN, WoT, and IoT. IoT is enabled with five-layered architectures, and each layer is <i>prone</i> to different security attacks. In this paper, we have provided a comparative analysis of security issues in a layer-based approach. We propose the different possible security attacks like shared node attack, synchronization attack, node failure attack, source code attack, and battery drainage attack associated with NB-IoT. To do the performance analysis of security attacks, related matrix, and their mathematical formulation is based on Secrecy Rate and Secrecy Outage Probability for the smart home application. This paper also raises security issues related to smart health and smart agriculture applications.

telecommunications

Yafei Ji,Luning Xia,Jingqiang Lin,Qiongxiao Wang,Lingguang Lei,Li Song

DOI: https://doi.org/10.1007/978-3-030-14234-6_18

2018-01-01

Abstract:Near field communication (NFC) is an emerging and promising technology envisioned to support a large gamut of applications such as payment and ticketing applications. Unfortunately, there emerges a variety of vulnerabilities that could leave an unwitting user vulnerable to attacks along with the increase of NFC applications. One such potential devastating attack is relay attack, in which adversaries establish a transparently transferring channel between two distant NFC-enabled devices, thus break the assumption that NFC can only work within a rather near distance. In this paper, we propose Chord, an effective method for detecting relay attack. Via measuring the strength of received signal, i.e, the Received Signal Strength Indication (RSSI) during a time span, the two devices are expected to get the same “trace” of RSSI’s variation because of physical proximity. Therefore, the relay attack can be revealed if the peers get a different “trace” from each other, which implies that they do not communicate directly via NFC link. The results of our implementation show that our proposal works as intended, and exhibits an improvement of security with reasonable performance impact.

Samir Chabbi,Rachid Boudour,Fouzi Semchedine,Djalel Chefrour

DOI: https://doi.org/10.1080/19393555.2020.1773583

2020-06-04

Information Security Journal: A Global Perspective

Abstract:Near Field Communication (NFC) technology has been used recently for electronic payment between an Automated Teller Machine (ATM) and a Smartphone. It is threatened by several attacks that can steal the user personal data like the password or the Personal Identification Number (PIN). In this paper, we present Dynamic Array PIN (DAP), a novel approach for user authentication on a Smartphone that uses NFC electronic payment with an ATM. Our analysis and experimentation prove that this technique protects against thirteen different attacks and is cost-effective in terms of required hardware, authentication time, computing power and storage space.

Fan Dang,Pengfei Zhou,Zhenhua Li,Ennan Zhai,Aziz Mohaisen,Qingfu Wen,Mo Li

DOI: https://doi.org/10.1109/INFOCOM.2017.8057219

2017-01-01

Abstract:Automated Fare Collection (AFC) systems have been globally deployed for decades, particularly in public transportation. Although the transaction messages of AFC systems are mostly transferred in plaintext, which is obviously insecure, system operators do not need to pay much attention to this issue, since the AFC network is well isolated from public network (e.g., the Internet). Nevertheless, in recent years, the advent of Near Field Communication (NFC)-equipped smartphones has bridged the gap between the AFC network and the Internet through Host-based Card Emulation (HCE). Motivated by this fact, we design and practice a novel paradigm of attack on modern distance-based pricing AFC systems, enabling users to pay much less than actually required. Our constructed attack has two important properties: 1) it is invisible to AFC system operators because the attack never causes any inconsistency in the backend database of the operators; and 2) it can be scalable to large number of users (e.g., 10,000) by maintaining a moderate-sized AFC card pool (e.g., containing 150 cards). Based upon this constructed attack, we developed an HCE app, named LessPay. Our real-world experiments on LessPay demonstrate not only the feasibility of our attack (with 97.6% success rate), but also its low-overhead in terms of bandwidth and computation.

Fikret Basic,Claudia Rosina Laube,Christian Steger,Robert Kofler

DOI: https://doi.org/10.1109/RFID54732.2022.9795979

2023-11-21

Abstract:In modern systems that rely on the use of Battery Management Systems (BMS), longevity and the re-use of battery packs have always been important topics of discussion. These battery packs would be stored inside warehouses where they would need to be properly monitored and configured before their re-integration into the new systems. Traditional use of wired connections can be very cumbersome, and sometimes even impossible, due to the outer layers and packaging. To circumvent these issues, we propose an extension to the conventional BMS design that incorporates the use of Near Field Communication (NFC) for the purpose of wireless battery pack status readout. Additionally, to ensure that these packs are only managed by authenticated devices and that the data that is communicated with is protected against outside eavesdropping and tampering, we present a solution in the form of a lightweight security layer on top of the NFC protocol. To show the feasibility of our design, an accompanying prototype has been implemented and evaluated.

Cryptography and Security,Hardware Architecture,Systems and Control