Contactless Payments with Mobile Wallets. Overview and Technology

Transcription

1 Contactless Payments with Mobile Wallets Overview and Technology

2

3 History of Contactless Systems Upass (smartcard) a pre-paid card for the transportation system in Seoul and its suburbs, first used in June Octopus Card (smartcard) a rechargeable contactless stored value smart card for making electronic payments in online or offline systems in Hong Kong. Launched in September 1997 to collect fares for the territory's mass transit system, the Octopus card system is the second contactless smart card system in the world, after Upass, and has since grown into a widely used payment system for all public transport in Hong Kong. The Octopus card was introduced for fare payment on the MTR initially, but the use of the card quickly expanded to other retail businesses in Hong Kong. The card is now commonly used in most, if not all, major public transport, fast food restaurants, supermarkets, vending machines, convenient stores, photo booths, parking meters, car parks and many other retails business where small payment are frequently made by customers.

4 History of Contactless Systems Mobile Speedpass (keytag) Introduced in 1997, It was originally developed by Verifone. At one point, Speedpass was deployed experimentally in fast-food restaurants and supermarkets in select markets. McDonald's alone deployed Speedpass in over 400 Chicago area restaurants. Additionally, Stop & Shop grocery chain tested Speedpass at their Boston area stores, but removed the units in early The test was deemed a failure and McDonald's removed the scanners from all their restaurants in mid 2004.

5 Current Contactless Credit Cards Credit card companies launched contactless credit cards in Other form factors were also available, including miniature keyring credit cards and key tags (similar to Mobile SpeedPass). Contactless runs over the same chip and PIN network as normal credit and debit card transactions, there is a payment limit on single transactions and contactless cards can only be used a certain number of times before customers are asked for their PIN. Contactless debit and credit transactions are protected by the same fraud guarantee as standard transactions. All use of the contactless cards are based on the merchant hardware.

6 Contactless Credit Card Types Contactless MSD (magnetic swipe data) Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only distributed in the USA. Payment occurs in a similar fashion to magstripe, without a PIN and often in off-line mode (depending on parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the chip cryptographically generates a code which can be verified by the card issuer's systems.

7 Contactless Credit Card Types Contactless EMV (Europay Mastercard Visa) Contactless EMV cards have two interfaces (contact and contactless) and work as a normal EMV card via their contact interface. The contactless interface (a small chip embedded in the card, similar to current PIV/CAC) provides similar data to a contact EMV transaction, but usually a subset of the capabilities (e.g. usually issuers will not allow balances to be increased via the contactless interface, instead requiring the card to be inserted into a device which uses the contact interface). EMV cards may carry an "offline balance" stored in their chip, similar to the electronic wallet or purse that users of transit smartcards are used to.

8 Merchant Side American Express ExpressPay (introduced in 2005) MasterCard PayPass (introduced in 2005) Visa paywave (introduced in 2007) Discover Zip

9 Standards for Contactless Smartcards ISO/IEC Identification cards -- Contactless integrated circuit cards -- Proximity cards ISO/IEC :2008 Part 1: Physical characteristics ISO/IEC :2010 Part 2: Radio frequency power and signal interface ISO/IEC :2011 Part 3: Initialization and anticollision ISO/IEC :2008 Part 4: Transmission protocol

10 Technology

11 Wi-Fi Wi-Fi: Already dominated for internet usage, Wi-fi s responsibilities are now beginning to include mobile payments over the internet. Information that would be be communicated would include any information that may be stored for convenience. Passwords Credit/Debit Cards Locations

12 Wi-Fi Wi-Fi Encryption/Authentication has been in place for years. In this case, Over Wi-Fi, the passed data can include: Location Information Financial Information Billing Address Credit Card Information Transaction Information (What was purchased, How Much? Etc.) What was purchased? Item Prices as well as purchase methods (Cards/Gift Cards)

13 Near Field Technology NFC enables devices to share information at a distance less than 4 centimeters with a maximum communication speed of 424kbps. Users can share business cards, make transactions, access information from smart posters or provide credentials for access control systems with a simple touch. NFC s bidirectional communication ability can establish connections with other technologies. NFC is prominent in newer Android Phones and is used because of the ease of use and battery performance compared to Bluetooth.

14 NFC Vulnerabilities NFC itself is not encrypted in any way. Eavesdropping is a possibility, as the transmission occurs over regular RF waves. With the appropriate knowledge and equipment one could eavesdrop on the information being transmitted. NFC signals can also be modified through Man-in-the-Middle attacks in which a nearby device can potentially intercept and change values of the transmission to which the recipient unknowingly accepts the modified information.

15 NFC Players (Hardware) Feature Phones: Samsung Galaxy S3/S4 Samsung Galaxy Note 1/2 Motorola Razr Maxx HD Nexus 4 Windows Phone LG Optimus G Smartphones: Acer, Blackberry, HTC, LG, Motorola, Nexus, Nokia, Samsung, Sony

16 NFC Players (Operating Systems) Android Blackberry OS Windows Phone/8 Symbian Bada(Samsung s Native OS) Nokia OS

17 NFC Players (Customer-side Wallet Applications) Square Wallet (Square, Inc.) Google Wallet (Google, Inc.) ISIS Mobile Wallet (Mobile Carriers)

18 The Secure Element Payment card or other information is encrypted and stored on the Secure Element, which is a dedicated hardware component that operates independently from the rest of the phone and limits access to certain apps. There are three types of Secure Elements, described below.

19 The Secure Element Embedded Secure Elements (Universal Integrated Circuit Card) This type of element is built into the phone at the time of manufacture. Pros: Provides a common architecture for application developers More tamper resistant Less costly Cons: Not portable between phones

20 The Secure Element Secure Element Within the SIM Pros: Relatively secure, can link SIM serial numbers to individuals or devices Portable between phones Can be managed over the air to wipe if the device is lost/stolen Cons: Carriers own the SIM, and can control which third party they grant access to (Verizon is currently not allowing Google access, so Google Wallet is not available to Verizon customers)

21 The Secure Element Secure Element Within a MicroSD Card Pros: The microsd can be issued by a financial institution or mobile network operator as a credit, debit, prepaid or a multiple account digital wallet or for secure access and entry. Simple implementation Portable Cons: Portable Physical characteristics of the device can be limiting; physical location, antenna size, casing material, protective covers MicroSD can only support a single application or payment account Lack of standardizations between MicroSD and NFC Controller may be an issue

22 Current Applications

23 Square Wallet Square Wallet works with merchants that use Square Register Uses NFC for enabled phones, and QR codes for the register to scan for non-nfc enabled phones. Compatible with Apple devices running ios 5 and up, and Android devices running Android 2.2 and up. Users must check-in through the app, their photos appear on the merchant side application. The merchant clicks on the matching photo, scans the QR code or swipes the NFC phone, and payment is made.

24 Square Wallet Security Features Card processing applications adhere to PCI Data Security Standard (PCI-DSS) Level 1. Square prohibits the storage of card numbers, magnetic stripe data and security codes on client devices. Square requires sensitive data to be encrypted using industry-standard methods when stored on disk or transmitted over public networks.

25 Square Wallet In this instance, Square Wallet, a mobile Wallet alternative from Square uses Wi-Fi to to record the transactions being made. In this case, some of the data transfers can show up within monitoring programs In this case however, Square has ensured that this information is encrypted.

26 Google Wallet Requires NFC for in-store purchases When setting up credit or debit cards in the Google Wallet mobile app, a virtual prepaid MasterCard card will be issued by Bancorp. When paying in-store by tapping the phone, Google Wallet passes the virtual card to the merchant for payment, and charges the selected credit or debit card for the purchase. Credit or debit cards are linked to the Google Wallet account, which in turn is connected to your virtual prepaid MasterCard card. The virtual prepaid MasterCard information is stored on the phones Secure Element, no actual card information is on the device. Verizon is currently not licensing secure element space to Google, so this app is not available to Verizon users.

27 Google Wallet

28 Google Wallet Security Features Google Wallet PIN (in addition to the phone s lock screen) Remote control disables the device from being used Credit card numbers are stored on Google encrypted servers, only the virtual account information is stored on the device Does not share actual credit card number with merchants, only passes the virtual MasterCard number Google Wallet does not work on rooted phones

29 ISIS Mobile Wallet Developed as a joint venture between AT&T, Verizon, and T-Mobile, currently in testing in Texas and Utah. Requires NFC SIM (different than regular SIM), available from the mobile carriers in the test cities. Uses the four big credit card contactless systems (MC PayPass, Visa Paywave, AmEx ExpressPay, Discover Zip). Currently only supports Capitol One, Chase and AmEx, and the credit card company has to approve the request.

30 ISIS Mobile Wallet Security Features Payment card credentials are stored in the secure element. The Wallet is accessed by a user-selected PIN, adding another layer of protection. A single call to your wireless carrier or visit to our website can freeze the wallet, disabling payment cards within the Wallet.

31 Security

32 Access Barriers In most cases applications and even phones have their usual safeguards against theft however, additional security includes: Forcing users to enter CCV values for every transaction in which a card is used. Once Credit Cards have been entered, information is then hidden. Many e-wallet applications such as Square and Passbook can store login sessions, this allows the application to be accessed again, without a secure login.

33 Access Barriers Two-Factor Authentication can be provided in which a password, as well as randomly generated code from another source must be provided in succession in order to log into some systems. In some applications, all transactions and accounts are monitored and audited in order to prevent stolen information. With obvious theft in which mobile wallet applications without access barriers can be used to make purchases just like a regular credit card/ cash.

34 Who is Storing What Where? For both ios and Android, applications share these qualities: All application information is stored within a relevant folder containing the application itself as well as relevant information regarding the application. This includes all stored variables such as user names, passcodes. Additionally, on certain poorly written applications credit cards, magnetic strip info, pins, and security codes can be saved onto the device. Additionally, potential business transactions can be saved onto the device, including detail transactions as well as businesses

35 Security - Apple Devices In this case, most all applications rely upon the hardware encryption provided by the device. Since ios 3, the iphone has implemented hardware encryption Apple s Hardware Encryption is currently 256-bit AES encryption. Apple Devices do not allow installation of 3 rd party applications onto the device. Apple prohibits the use of File Browsers and user root access. Only through jail breaking is this possible.

36 Security - Android Devices In this case, most all applications rely upon the hardware encryption provided by the device. Due to the multitude of hardware, Android devices have varying encryption. Android versions up until Version 3 did not include encryption. Android key s are not stored into the hardware of the device, therefor they can be extracted. Android key s are not stored into the hardware of the device, therefor they can be extracted. Android does posses the ability to have a full-disk encryption, if required. Malware-ridden 3 rd -Party applications can exist on various Application Markets

37 Encryption - Transmission For most Wallet and Payment Apps there are various transmission protocols that are used for transmission. Protocols include: (Minimum) 128 bit SSL PGP (Pretty Good Privacy) Encryption From this, Wi-Fi Security comes into play, which depends on the security of your network. NFC transmissions contain no encryption and as a result can immediately be monitored by outside clients Physical Card Readers often perform data encryption the moment the card has been read.

38 Jailbreak/Root Vulnerabilities As of February 6 th, 2013 the recent Evasi0n jailbreak, at has jailbroken at least 9,838,098 devices on the latest ios for iphone (6.1.2). When a device is jailbroken, this brings additional causes for concern. When a device is jailbroken/rooted, a device can access the file system, as well as valuable information over Wi-Fi. In most cases an attacker can simply SSH into the iphone as the credentials are rarely changed. Source -

39 Jailbreak/Root Vulnerabilities Once a device is jailbroken/ Rooted, additional access to files is allowed. In this case, we can see the location of Payment Histories, as well as the application itself.

40 Jailbreak/Root Vulnerabilities Additionally, applications can be decrypted and show the code used to create the application. In this case, tools were used to decrypt and gather Objective-C and arm code of Square Wallet. This technique however can work with any ios application.

41 Jailbreak/Root Vulnerabilities Here is the same process, however this time, the program has been extracted into ARM Code

42 About PaRaBaL PaRaBaL, Inc. founded in 2009 is located in the University of Maryland, Baltimore County (UMBC) Research Park in Catonsville, MD. In early 2011 PaRaBaL was awarded a contract from a US Government Agency to develop and teach an ios security specialist training course, making PaRaBaL the first company to be awarded a US Government ios security training contract. PaRaBaL has gone on to expand its expertise in the field of mobile security to cover Android security training, mobile application development and mobile device management. With this pedigree, PaRaBaL is uniquely suited to take on tough research tasks in computer related cyber activities.