PickingUpMyTab:UnderstandingandMitigatingSynchronizedTokenLiftingandSpendinginMobilePayment

-- Xiaolong Bai1*,ZheZhou23*,XiaoFeng Wang3,ZhouLi4,Xianghang Mi3,NanZhang3,Tongxin Li5,Shi-MinHu1,Kehuan Zhang2

1TsinghuaUniversity, 2TheChineseUniversityofHongKong3IndianaUniversityBloomington,4IEEEMember,5PeikingUniversity

*AlphabeticallyOrderedAuthors

MobilePayment– AConvenientLifeStyle

• Mobilepaymentiseverywhere.• Over5TrillionUSDollarTransactions.

2/29

OfflineMobilePayment

• AMobilePaymentMethodWithoutNetwork.• Mobilephonedoesnotneednetwork.• POSmachinemustbeconnected.

• Advantages.• Shortdelay.• Avoidpoornetworkconnectioninsiderooms.

• Simpletouse.• Noneedtoenterpassword• SimpleapproachaphonetoPOS.

3/29

OfflineMobilePaymentWorkingFlow

• Hashvalueinsidetoken.• Securitybasedonthesynchronizedsecretkey.

Secret

Time

User ID

Hash

APP POS Server

User ID DB

Time

Secret

Hash

Compare

Token

Ac/Rj

4/29

SecurityGuarantees

• Throughhashing,atokenisbondedto• Thetimewhenbeinggenerated.• TheuserID.• Itcannotbeforged withoutthesynchronizedsecret.

• Tokensarehardtosniff.• Tokentransportationisdesignedtobedistancebonded.

• Evenifatokenissniffed.• Atoken,oncereceivedbytheprovider,isinvalidatedimmediately.• Atokenisonlyvalidinashortperiodoftime.

5/29

Assumption:PassiveAdversaries

• Passiveattackersarealreadydefended,becausetokens,oncesniffed,arealsoreceivedbytheprovider,isinvalidatedimmediately.

6/29

Breakitwithanactiveadversary

• Butitisvulnerabletoanactiveadversary!

7/29

AttacksagainstOfflinePayment

• STLSAttacks.• SynchronizedTokenLiftingandSpending.

• Steps• Acquirealivetoken.• Preventitfrombeinglegallyused.• Spenditatanotherplace,beforeitexpires.

• Targets

8/29

SamsungPay

9/29

KnownAttacksagainstSamsung

• PreviouspapersniffingandreplayingSamsungpaytokens.• Assumption:Passiveattackers.

• Legaltransactionisnotinterrupted.• Thesniffedtokenisnotalive.• Usersarestillenoughsecure.

10/29

STLSAttackagainstSamsungPay

3inches

2meters

• Assumption:ActiveAttackers.• StandingclosetothePOS,canjamthenetwork.

11/29

STLSAttackagainstSamsungPay

• Tokenreplay.

12/29

Devicestolaunchtheattack

13/29

SoundPay

14/29

AttackingSoundPay– AdversaryModel

15/29

AttackingSoundPay–SniffingandJamming

16/29

AttackingSoundPay– ColluderSide

17/29

STLSAttacks– QRPay

• An extremely popularpaymentmethod.• PaymentMode• B2Smode:AphonescansQRcodeonapapertopay.• B2Lmode:AphonepresentsQRcodeunderPOSscannertopay.

18/29

AdversaryModel– QRPay

• Payer’sphoneisinfectedwithattacker’smalware.• Themalwarehasthefrontcameraprivilege.• Forsniffing.

• Themalwarecandisplayafloatingwindow.• Topreventtokensfrombeinglegallyused.

19/29

STLSAttacks– QRCodeSniffing

20/29

PreventLegalScanning

• Amalwareadrawawhiteblock.• Topreventthecodefromlegallyrecognized.• Positioningmarkiscriticalfordecoding.• POSmachinecannolongerdecodetheQRcode.

• ThesniffedQRcodetokeniskeptalive.• Attackersspendthetokenduringtheperiod.

21/29

P2PModeAttacks

• WhatifyouuseiPhoneinsteadofAndroidPhone?• iPhonedoesnotsupportbackgroundfrontcameraphotoshooting.

• Whatifyourphoneisnotinfected?• P2Pmode:AphonescansQRcodeonanotherphonetopay.• TheQRcodecanalsobeusedinB2Lmodetopaytothemerchants.

22/29

P2PModeAttackAdversaryModel

• Thevictim(payee)isnotinfected.• Thepayerisinfectedwithattacker’smalware.

• HasanexactlysameUIwithlegalpaymentapp.• WillbeusedtosnifftheQRcodetoken.

• ThevictimhasturnedontheBluetooth.• Canbeexploitedbyattackertokeepthetokenalive.

23/29

STLSAttacks– QRCodeSniffing

PayeePayer(infected)

24/29

PreventingsniffedQRcodefromlegalscan

Refresh

(infected)

25/29

STLSAttacks– Alipay’s Action

• Alipay ceasedP2PtransferthroughQRcodeinthisFeb.• FacetofacemoneytransfermovedtoprintedQRcode.• UsersgetanexclusiveQRcodeforreceivingmoneyafterapplication.

26/29

POSAUTH,restricttheuseofsniffedtokens

• Livetokencanbespentatanywhere,withtheupperboundamount.• Sniffedtokencannotbespentremotely,oncebondedtothePOSID.

POSID POSIDPOSID

27/29

POSAUTH

• GetthePOSID• Byafrontscan.• Hashitintotoken.• Tokenisbonded.

• Nohardwareupgrade.

28/29

Q&A

• Offlinepaymentschemesonlyconsideredpassiveattackers.• Activeattackerscankeepthesniffedtokenalivebyinterruptingthetransaction.• Attackerscanspendthetokenbeforeitexpires.

29/29

SecurityVulnerabilities

• Atokenisbondto• Thetimewhenbeinggenerated.• TheuserID.• Butnot aspecifictransaction(Amount,MerchantID,etc.).

• Alivetokencanbespentbytheattacker,oncesniffed.• Atanywhere.• Withtheupperboundamount.

30/29

STLSAttacks– B2LModeAttacks

• ThewhiteblockpreventsQRcodefrombeinglegallyrecognized.• ThefontcameracapturesapicturecontainingtheQRcode.• ThebackgroundappcandecodetheQRcodetogetthetoken.• Thetokencanbespentatanotherplace.

31/29