An online security protocol for NFC payment: Formally analyzed by the scyther tool

Nowadays, NFC technology is integrated into bank cards, smartphones and sales point terminals in order to immediately execute payment transactions without any physical contact. EMV is the standard intended to secure both contact (traditional) and contactless-NFC payment operations. In fact, researchers in recent years have detected some security vulnerabilities in this protocol (EMV). Therefore, in this paper, we introduce the risks entailed by the vulnerabilities of EMV and particularly those at stake in the case of NFC payment. Hence, in order to overcome EMV weaknesses, we propose a new security protocol based on an online communication with a trusted entity. The proposal is destined to secure contactless-NFC payment transactions using NFC bank cards that are unconnected client payment devices (without Wi-Fi or 4G). A security verification tool called Scyther is used to analyze the correctness of the proposal.

[1]  M. Ward,et al.  EMV card payments - An update , 2006, Inf. Secur. Tech. Rep..

[2]  Guy Pujolle,et al.  A cloud-based secure authentication protocol for contactless-NFC payment , 2015, 2015 IEEE 4th International Conference on Cloud Networking (CloudNet).

[3]  U. B. Ceipidor,et al.  KerNeeS: A protocol for mutual authentication between NFC phones and POS terminals for secure payment transactions , 2012, 2012 9th International ISC Conference on Information Security and Cryptology.

[4]  Mike Bond,et al.  2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken , 2022 .

[5]  Pascal Urien,et al.  Framework and authentication protocols for smartphone, NFC, and RFID in retail transactions , 2013, 2013 IEEE Eighth International Conference on Intelligent Sensors, Sensor Networks and Information Processing.

[6]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[7]  Naveed Ashraf Chattha NFC — Vulnerabilities and defense , 2014, 2014 Conference on Information Assurance and Cyber Security (CIACS).

[8]  Moustafa Youssef,et al.  Practical provably secure key sharing for near field communication devices , 2013, 2013 International Conference on Computing, Networking and Communications (ICNC).

[9]  Cas Cremers Comparing State Spaces in Automatic Protocol Verification , 2007 .

[10]  Martin Emms,et al.  Practical Attack on Contactless Payment Cards , 2011 .

[11]  Cas J. F. Cremers,et al.  Operational Semantics and Verification of Security Protocols , 2012, Information Security and Cryptography.

[12]  Christophe Rosenberger,et al.  Secure payment with NFC mobile phone in the SmartTouch project , 2008, 2008 International Symposium on Collaborative Technologies and Systems.

[13]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[14]  Pavol Zavarsky,et al.  Fraud Reduction on EMV Payment Cards by the Implementation of Stringent Security Features , 2012 .

[15]  Pascal Urien,et al.  Elliptic curve-based RFID/NFC authentication with temperature sensor input for relay attacks , 2014, Decis. Support Syst..

[16]  Min-Soo Jung A Study on Electronic-Money Technology Using Near Field Communication , 2015, Symmetry.

[17]  Joeri de Ruiter,et al.  Formal Analysis of the EMV Protocol Suite , 2011, TOSCA.

[18]  Heekuck Oh,et al.  Conditional privacy preserving security protocol for NFC applications , 2012, 2012 IEEE International Conference on Consumer Electronics (ICCE).

[19]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.