论文信息 - All You Can Eat or Breaking a Real-World Contactless Payment System

All You Can Eat or Breaking a Real-World Contactless Payment System

We investigated a real-world contactless payment application based on mifare Classic cards. In order to analyze the security of the payment system, we combined previous cryptanalytical results and implemented an improved card-only attack with customized low-cost tools, that is to our knowledge the most efficient practical attack to date. We found several flaws implying severe security vulnerabilities on the system level that allow for devastating attacks including identity theft and recharging the amount of money on the cards. We practically verify and demonstrate the attacks on the commercial system.

Christof Paar | Timo Kasper | Michael Silbermann

[1] Flavio D. Garcia,et al. Wirelessly Pickpocketing a Mifare Classic Card , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2] Avishai Wool,et al. How to Build a Low-Cost, Extended-Range RFID Skimmer , 2006, USENIX Security Symposium.

[3] Christof Paar,et al. An Embedded System for Practical Security Analysis of Contactless Smartcards , 2007, WISTP.

[4] David Evans,et al. Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[5] Nicolas Courtois,et al. The Dark Side of Security by Obscurity - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime , 2009, SECRYPT.

[6] Flavio D. Garcia,et al. A Practical Attack on the MIFARE Classic , 2008, CARDIS.

[7] Bart Jacobs,et al. Dismantling MIFARE Classic , 2008, ESORICS.