The NTIS website and supporting ordering systems are undergoing a major upgrade from 8PM on September 25th through approximately October 6. During that time, much of the functionality, including subscription and product ordering, shipping, etc., will not be available. You may call NTIS at 1-800-553-6847 or (703) 605-6000 to place an order but you should expect delayed shipment. Please do NOT include credit card numbers in any email you might send NTIS.
Documents in the NTIS Technical Reports collection are the results of federally funded research. They are directly submitted to or collected by NTIS from Federal agencies for permanent accessibility to industry, academia and the public.  Before purchasing from NTIS, you may want to check for free access from (1) the issuing organization's website; (2) the U.S. Government Printing Office's Federal Digital System website http://www.gpo.gov/fdsys; (3) the federal government Internet portal USA.gov; or (4) a web search conducted using a commercial search engine such as http://www.google.com.
Accession Number PB2013-102372
Title Computing Science: The Dangers of Verify PIN on Contactless Cards.
Publication Date May 2012
Media Count 14p
Personal Author A. van Moorsel B. Arief F. Hao J. Hannon M. Emms T. Defty
Abstract Contactless/Near Field Communication (NFC) card payments are being introduced around the world, allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Although the terminal needs to be able to verify a PIN, it is not clear if such PIN verification features should be available on the NFC card itself. We show that contactless Visa payment cards have (largely redundant) functionality, Verify PIN, which makes them vulnerable to new forms of wireless attack. Based on careful examination of the Europay, MasterCard and Visa (EMV) protocol and experiments with the Visa fast Dynamic Data Authentication transaction protocol, we provide a set of building blocks for possible attacks. These building blocks are data skimming, Verify PIN and transaction relay, which we implement and experiment with. Based on these building blocks, we propose a number of realistic attacks, including a denial-of-service attack and a newly developed realistic PIN guessing attack. The conclusion of our work is that implementing Verify PIN functionality on NFC cards has no demonstrated benefits and opens up new avenues of attack.
Keywords Attack
Cards
Computer program verification
Credit cards
Data processing security
Debit cards
Europay MasterCard and Visa (EMV)
Functionality
Identification systems
Near Field Communication (NFC)
Payment systems
Personal identification number (PIN)
Point of sale
Relay
Skimming
Vulnerability


 
Source Agency University of Newcastle Department of Computing Science
NTIS Subject Category 62 - Computers, Control & Information Theory
96F - Banking & Finance
Corporate Author Newcastle upon Tyne Univ. (England).
Document Type Technical report
Title Note N/A
NTIS Issue Number 1304
Contract Number N/A

Science and Technology Highlights

See a sampling of the latest scientific, technical and engineering information from NTIS in the NTIS Technical Reports Newsletter

Acrobat Reader Mobile    Acrobat Reader