Plastic Money
Securing Plastic Money Using an RFID Based Protocol Stack
Rishab Nithyanand
Department of Computer Science
University of California - Irvine rishabn@uci.edu Abstract. Since 2006, there have been three major systems that have been implemented in an attempt to reduce the threat of credit card fraud - Chip and PIN (United Kingdom), Chip Authentication Program
- CAP (European Union), and RFID enabled credit cards (United States of America). In spite of a big effort by the EMV1 , there has been little evidence to demonstrate the success of these schemes in stopping fraudsters, scammers, and identity thieves. This may be attributed to combinations of poor usability, lack of trusted interfaces, the absence of smart-card cryptography that takes full advantage of the available computation resources, and inadequate authentication protocols. In this paper, we explain the shortcomings and vulnerabilities of each of these systems, and then explain requirements of a secure and usable cashless payment system. We also describe a new RFID based protocol stack - SECAPS (Secure Cashless
Payment System), which obviates many of the attacks on the current schemes by using the newly available computation resources on modern RFID Tags.
1
Introduction
Credit and debit cards have long been accepted as a convenient alternative to carrying wads of cash in a wallet. However, while it has been accepted by the public, credit card fraud has been a rather expensive problem that has plagued societies around the world for more than a decade. Statistics from the United Kingdom alone indicate losses of over £609 million in 2008 due to card fraud [1]. There has been some significant effort over the last few years by the EMV to quell this problem, such as introducing the Chip and PIN in the United Kingdom in 2006 [2], RFID enabled credit cards in the
United States in 2006 [3], and the Chip Authentication Program in the European Union in 2007 [4].
1.1
Types of Credit Card
Rishab Nithyanand
Department of Computer Science
University of California - Irvine rishabn@uci.edu Abstract. Since 2006, there have been three major systems that have been implemented in an attempt to reduce the threat of credit card fraud - Chip and PIN (United Kingdom), Chip Authentication Program
- CAP (European Union), and RFID enabled credit cards (United States of America). In spite of a big effort by the EMV1 , there has been little evidence to demonstrate the success of these schemes in stopping fraudsters, scammers, and identity thieves. This may be attributed to combinations of poor usability, lack of trusted interfaces, the absence of smart-card cryptography that takes full advantage of the available computation resources, and inadequate authentication protocols. In this paper, we explain the shortcomings and vulnerabilities of each of these systems, and then explain requirements of a secure and usable cashless payment system. We also describe a new RFID based protocol stack - SECAPS (Secure Cashless
Payment System), which obviates many of the attacks on the current schemes by using the newly available computation resources on modern RFID Tags.
1
Introduction
Credit and debit cards have long been accepted as a convenient alternative to carrying wads of cash in a wallet. However, while it has been accepted by the public, credit card fraud has been a rather expensive problem that has plagued societies around the world for more than a decade. Statistics from the United Kingdom alone indicate losses of over £609 million in 2008 due to card fraud [1]. There has been some significant effort over the last few years by the EMV to quell this problem, such as introducing the Chip and PIN in the United Kingdom in 2006 [2], RFID enabled credit cards in the
United States in 2006 [3], and the Chip Authentication Program in the European Union in 2007 [4].
1.1
Types of Credit Card
References: APACS - The UK Card Payments Association: Fraud - The Facts 2009. (2009) APACS - The UK Card Payments Association: Chip and PIN Guide for Retailers Schwartz, J.: Researchers See Privacy Pitfalls in No-Swipe Credit Cards. New York Times. (2006) Layden, J.: Barclays Deploys PINsentry to Fight Fraud Gilmore, G.: Card Details For Sale Online. Times Online, UK. (2008) Heydt-Benjamin, T.S., Bailey, D.V., Fu, K., Juels, A., O’Hare, T.: Vulnerabilities in first-generation rfid-enabled credit cards. In: Financial Cryptography. (2007) Adida, B., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips (traditional and new recipes for attacking emv). (2006) Adida, B., Clulow, J., Lin, A., Anderson, R., Rivest, R.: A note on emv secure messaging in the ibm 4758 cca Lazarony, L.: On the Dark Side of Credit Card Fraud. Bankrate.com. (2002) Cherry, P.: Fetching Fraudsters are Looking to Rip You Off, SQ Warns OnlyFinance.com: Three Brothers Jailed for Card Fraud. (2009) Lineman, D.: Fake ATM Readers Steal Your Bank Card and PIN Matyas, V., Cvrcek, D., Krhovj, J., Kumpost, M.: Authorizing card payments with pins. Computer 41(2) (2008) 64–68 Kirk, J.: Security Analyst: Las Vegas ATMs May Have Malware. PC World. (2009) Blythe, S.: Method to Detect Man-in-the-Middle (MITM) or Relay Attacks, USPTO Application No.: 20090168997. (2009) Anderson, R., Bond, M.: The man-in-the-middle defence Hancke, G.: A practical relay attack on iso 14443 proximity cards. (2005) 22 23. Adams, A., Sasse, M.A.: Users are not the enemy. Volume 42., New York, NY, USA, ACM (1999) 40–46 24 The Netherlands, Elsevier Science Publishers B. V. (1993) 53–59 25 Annual International Cryptology Conference on Advances in Cryptology, London, UK, Springer-Verlag (1990) 44–63 26 for untrustworthy environments. In: SOUPS ’07: Proceedings of the 3rd symposium on Usable privacy and security, New York, NY, USA, ACM (2007) 169–170 for RFID Applications. In: Workshop on RFID Security – RFIDSec’06, Graz, Austria, Ecrypt (July 2006) 30 31. Leyden, J.: Technical Problems Mar Barclay’s PINSentry Roll-Out. The Register, UK. (2007) 32 33. Infineon Technologies AG.: SLE 66CLxxxPE Contactless and Dual Interface Controller Family. (2009) 34 35. SkyeTek, Inc.: Data Sheet - SkyeTek SkyeModule M1 - Mini. (2009) 36 37. Blake-Wilson, S., Menezes, A.: Authenticated diffie-hellman key agreement protocols. In: SAC ’98: Proceedings of the Selected Areas in Cryptography, London, UK, Springer-Verlag (1999) 339–361 USA, ACM (2006) 199–203 39 (2004) 425–430