investigation into nfc contactless transactions
TRANSCRIPT
An Investigation into the Vulnerabilities of Near Field Communication Contactless
Transactions
Introduction Problem Approach Research Analysis Experiments and Testing Results Evaluation
Why this project? NFC Technology expected to increase
in popularity. Gaining deeper understanding of the
technology. Find out how secure it actually is. Many business sectors can associate
with this technology.
Identify Problem 1.5 Billion Euros in credit card fraud
(Europol 2012). 853 million card purchases per month
(UK Cards association).
92% of adults personally own/use a mobile telephone (ofcom,2012).
Approach 3 Documents (Dissertation, Report
and Brief) • Dissertation • Report• Brief
Soft Systems Methodology Prince 2
Research Literature research.
• Understand the technology.• To understand the transaction process and
stages involved. Questionnaires.
• Users perception.
Analyse Asses areas of
weakness or possible exploit.
Analyse threat vectors.
Categorise risk.
Experiment and Testing ACR122U
• Data extraction.• De-crypt online• Feasibility attack.
Experiment and Testing ACR122U
• Data extraction.• De-crypt online• Feasibility attack.• Backtrack• Penetration test –
credit card clone.
Experiment and Testing Arduino Testing
• Understanding the physical components.
• Programming elements.
• In depth understanding.
• Bought RFID board online.
• Solder • Program board
Experiment and Testing Penetration testing
• Aim – Apply extracted data to blank card magnetic strip.
Results Various types of attack are possible.
• Experiment 1 – possible to extract card information wirelessly.
• Experiment 2 – understanding components involved
• Experiment 3 – Applying credit card details to blank card.
Financial Impact Analysis Credit card details obtained. Potentially high losses to business
and user. 116 (average transactions/day) x
£100 (limit) =£11,600
Number of Credit Card
Duration
Card Limit £100
Card Limit £200
Card Limit £300
Details Obtained
(Months)
1 12 £1,200 £2,400 £3,6005 12 £6,000 £12,000 £18,000
10 12 £12,000 £24,000 £36,00025 12 £30,000 £60,000 £90,00050 12 £60,000 £120,000 £180,00075 12 £90,000 £180,000 £270,000
100 12 £120,000 £240,000 £360,000150 12 £180,000 £360,000 £540,000300 12 £360,000 £720,000 £1,080,000
600 12 £720,000£1,440,00
0 £2,160,000
Discussion Details can be used;
• Online.• Phone. (32% increase)• Applied to card.
Countermeasures Wireless blocking. Remain vigilant. Check bank
statements.
Biometrics. (Banks) Awareness
Training
Summary Researched the operations of NFC. Investigated the vulnerabilities and areas
of exploit. Discovered possible threats. Carried out technical risk assessment. Tested contactless cards. Built NFC prototype. Demonstrated attacks including
penetration testing. Derived financial impact analysis. Given future recommendations
Conclusion Questions?
Research Area Space Who uses this technology? Incentive Questionnaire users perception of the technology? Understand how NFC operates/components. Areas of vulnerability?