COMPUTING SCIENCE POS Terminal Authentication Protocol to Protect EMV Contactless Payment Cards

The original EMV protocol was designed to operate in a situation where the card holder removes their card from their wallet and insert the card into a Point of Sale (POS) terminal. The protocol operates predominantly in plaintext which was not a problem because the attackers needed to tamper with the POS to gain access to the information on the card. The introduction of contactless EMV cards exposes the mainly plaintext EMV protocol to a wireless interface. This allows attackers to use an off-the-shelf NFC reader to access the card without the cardholders knowledge and potentially whilst the card is still in their wallet. Research has demonstrated that contactless EMV cards are vulnerable to various attacks carried out using off-the-shelf equipment which is both cheap and easy to obtain. The proposed solution addresses these issues by having the card request that any NFC reader, attempting to initiate communication, must authenticate itself as a genuine bank issued POS. The POS does this using a Bank issued private key to sign a nonce provided by the card. About the authors Martin Emms is studying for a research PhD at Newcastle University's Centre for Cybercrime and Computer Security (CCCS). My research into potential vulnerabilities in the EMV payments system brought about by the introduction of Near Field Communications (NFC) payment technologies (i.e. NFC payment cards, mobile phone payments applications, NFC payment tags and NFC payment / top-up wrist bands). Supervised by Professor Aad van Moorsel with the School of Computing Science at Newcastle University. Martin has also been working with a local womenʼs support centre in the North East of England to better understand the issues faced by survivors of domestic violence. The main focus of this research has been enabling survivors to access online / electronic domestic violence support services without the fear of being caught by their abuser. His role has been to design new applications that can help survivors access support services without leaving tell-tale electronic footprints. Budi obtained his Bachelor of Computing Science with First Class Honours from Newcastle University in 1997. He had a one year placement (industrial training) during his undergraduate study with Mari Computer System Ltd. from 1995 to 1996. He went on to study for a PhD at Newcastle University with a scholarship from the School of Computing Science and an Overseas Research Studentship (ORS) from the British Council. He completed his PhD in July 2001 with a thesis entitled "A Framework for Supporting Automatic Simulation Generation from Design". He currently works as a Research Associate at the School of Computing Science. He had previously worked as a Research associate on the TrAmS, TRACKSS, Rodin and DIRC projects, as well as a Teaching Fellow between October 2008 and September 2010. Joseph Hannon is a final year Computer Science student (at Newcastle University) on route to a 1st in his MComp. His research interests include credit card security, malware and mobile development. Aad van Moorsel is a Professor in Distributed Systems and Head of School at the School of Computing Science in Newcastle University. His group conducts research in security, privacy and trust. Almost all of the group's research contains elements of quantification, be it through system measurement, predictive modelling or on-line adaptation. Aad worked in industry from 1996 until 2003, first as a researcher at Bell Labs/Lucent Technologies in Murray Hill and then as a research manager at Hewlett-Packard Labs in Palo Alto, both in the United States. He got his PhD in computer science from Universiteit Twente in The Netherlands (1993) and has a Masters in mathematics from Universiteit Leiden, also in The Netherlands. After finishing his PhD he was a postdoc at the University of Illinois at Urbana-Champaign, Illinois, USA, for two years. Aad became the Head of the School of Computing Science in 2012.