Threat Modeling for offline NFC Payments

Transcription

1 Threat Modeling for offline NFC Payments 1 Fan Jia, 2 Yong Liu, 3 Li Zhang *1,Corresponding Author,2 Key Laboratory of Communication and Information Systems, Beijing Jiaotong University, Beijing, China, fjia@bjtu.edu.cn, @bjtu.edu.cn 3, China Information Technology Security Evaluation Center, Beijing, China, zhangli@itsec.gov.cn Abstract Near Field Communication( NFC) enabled phone made it possible that the offline payment between users can be conducted with digital vouchers(evoucher). The duplication of evoucher and disclosure of personal information are concerned by user, however the current technology embedded is not sufficient to build a complete secured offline payment system. The main challenges to security come from lacking of specific and comprehensive analysis of the security requirements in design and implementation of the NFC payments. The paper analyzed the threats which may damage the assets from the entries depicted in DFD (Data Flow Diagram), and illustrated each of these threats with a few attack scenarios. The threats are listed and a corresponding migration plan is proposed from the perspectives of technique and usage for the common threats and some especially in NFC offline payment. Keywords: Threat Modeling, NFC Enabled Phone, Offline Payment, Countermeasure 1. Introduction NFC is a wireless proximity communication technology, which is developed based on the technology of RFID that is defined in ISO 14443[1]. The specification details of NFC can be founded in ISO18092[2]. NFC allows two devices to transfer data within the distance of 10cm, and has three operation modes. The difference of these modes is which device generates the RF field. If the active mode identifies that the device generates its own RF field, otherwise it works as passive mode. The rest mode is that two devices can alternately generate the RF field when the device will send data to the other, while the other device does not generate the RF field. The device working on active model needs a power supply, such as NFC reader, while the passive device working as contactless smart card don t need. Therefore, three typical application scenarios are corresponding to the three modes [3]. (1). Card Emulation: The NFC device work as a smart card. In this case the external reader cannot distinguish between smart card and NFC device, and the NFC interface is used to transfer some valuable information, such as the ticket or evouchers that stored in the NFC device. In this application, NFC device usually not only interact with the NFC reader but also with the third party sever. The ticket or voucher can be loaded into the NFC device via the mobile network. Therefore the NFC device is very suitable for payment or ticketing application. (2).Reader/Writer Mode: The primary use of the NFC device operating in this mode is to store some data in it. The NFC device can conveniently read and write data in NFC compliant passive transponder, such as a RFID label, or a key fob. Examples of the data would be a URL stored in tag of a product, or the configuration information needed to access a WIFI network. (3).Peer to Peer: The mode allows two electronic devices to establish a bidirectional connection via the NFC wireless interface to exchange information. The devices are needed to close together to run a pairing protocol, and the client can navigate through menus then to select a right device as a host from lists of possible communication partners. With the rapid development of mobile communications and social economy, mobile e-commerce has become more and more popular. People can access and browse the web information to get some valuable commodities or services via the internet using their mobile device, such as phone, PDA or pad[4,5,6]. The technique of smart phone has made the mobile phone outgrew their original communication purpose, and it has evolved into a portable multimedia platform that can access the internet anywhere. NFC enabled phone, being able to run multiple application, therefore is very fit for mobile commerce applications to act as the role of contemporary physical wallets, which made people Journal of Convergence Information Technology(JCIT) Volume8, Number4,Feb 2013 doi: /jcit.vol8.issue4.10

2 can conduct the mobile commerce anytime and anywhere. Compared with the traditional payment such as credit card, bank card, it has the following advantages: (1). NFC phone can avoid such the erasing between the contact card and POS terminal which might make these devices damage due to its contact payment; (2). NFC phone can provide a screen and keyboard to help user confirm the transaction information, and user don t need to input password on the POS terminal; (3). NFC phone is convenience to user for providing more information for navigating and selection. Commerce always involves a payer and a payee who exchange money for some goods or services, and at least one financial institution which can bridge the two parties with the money. Usually, the financial institution can be divided into two parts: an issuer which used by payer and an acquirer used by the payee. According to whether the third party is involved in the payment or not, the mobile payment can be divided into two classes: online payment and offline payment. The former involves an authorization server, such as part of issuer or acquirer, in the payment. While the latter no contact with a third party during the payment. In the process of offline payment, the valuable data is transferred between the payer and payee without a third authentic server to control and audit the transaction, therefore the procedure is more like payment using the paper based money or ticket. The main problem is how to prevent the evouchers from copying and loss in transaction. The most important problem needed to be solved is the security of the transfer of value in the offline payment. Therefore, we should have a complete threats analysis for the NFC offline payment before the implementation of payment application. 2. Architectures In many cases, payment systems are online system, which require a series of interactions between payer and payee, and have a trusted party to control and audit the transaction. While the offline payment without the third party involved online. The function of authentication and identification of the bank or the third party has been transferred to the user s mobile device. It allows a user to pay electronically by touching the other NFC enabled phone to trade with other users in such scenarios that without network or the inferior quality network[7]. Figure 1. The architecture of NFC phone based offline payment system. A typical offline system involves four parties, namely evoucher Issuers, evocher users (payer), the evoucher Acquirers, and merchant(payee), such as it described in figure 1. In the system, evouchers are usually stored in some specified memory of the secure element in user s NFC mobile phone that only allows the SE software to access. To analyze the threats that existing in the NFC offline payment precisely and comprehensively, it is necessary to understand the architecture and interfaces of the NFC enabled phone, and to make certain that the entries and data flow of the payment system. The architecture of NFC enabled phone and its interfaces are described as the figure 2.

3 Compared with the common mobile phone, the most important component in NFC phone is the Secure Element(SE), which is an integrated circuit can provide some secure functions such as encryption, digital signature and secure storage, and so on. An application running on baseband processor can communicates with NFC controller using the JSR257(Contactless Communication API )[8] and with SE by the JSR177(Security and Trust Services API for J2ME)[9]. SE is connected with the NFC Controller for proximity transactions, and the host controller is able to exchange data with the SE[10]. The physical link between SE and the NFC controller has not yet been defined. Currently the GSMA is evaluating different options like S2C ( signal in-signal out Connection)and SWP(Signal Wire Protocol), whereas the SWP is the favorite option of the NFC working group of the GSMA. To implement NFC evoucher application, the software usually consists of two parts: a MIDlet, running in the phone s operating system, and a Java Card Applet running in SE, which can assure that the NFC Voucher Applet will be deployed securely and can be fully trusted to handle valuable data such as evouchers. All privacy data and valuable data are stored on SE. Figure 2. The architecture and interfaces of NFC enabled phone To analyze the transaction of offline payment between the payer and payee more detailed, a data flow diagram should be established according to the process of the transaction and the entries between components. In this diagram, we should understand that all entities participated in the transaction and main steps of a complete procedure of evoucher transferring. Two types of evoucher transferring are implemented with NFC offline payment system. One is the transferring between users and the other is transferring between the user and merchant. Main steps of the system working are as follows: (1) Receiving the evoucher from the issuer. evoucher can be pushed by the issuer via the mobile network in SMS or other data links, and that is an unconfirmed transaction. (2) Payment: Transferring the evoucher form user s device to an expected merchant NFC payment terminal via the NFC communication link. (3) Clearance: After a successful payment, the payee is needed to submit the transaction information and evoucher to the acquirer to get the actual money from the issuer. (4) Users can manage their evoucher at any time. They can check their balance, check the expiration dates of the evoucher, and retrieve their spending history, and so on. (5) Transferring evouchers from a user s NFC phone to another user s phone, this procedure is completed using NFC with the confirmation of the receipt. The evoucher is produced by the issue bank with signatures, and be encrypted to send through SMS to the payer s phone. After received the SMS, The user s phone starts the payment application, and transfer it to SE, then SE decrypts it and check the signatures on evouchers. In payment stage, evouchers may be signed separately by SE, because the evouchers can be used separately. On other hand, SE can perform the verification of other payment terminals, and can authenticate the user who

4 operates the payment application by inputting PIN or password. Here, we focus on the main components and operations that deal with the payment transaction. A payer can authenticate the identity of the payee and initial a payment transaction with a request, then gets the order information from the payee. After confirmed the true identity of the payee or payment application, the transfer of evouchers can be started. The detailed procedures are described by a data flow diagram as following. Figure 3. The Data Flow Diagram of NFC offline payment system In the system, SE and NFC controller are trustable to user, but the payment application running in operating system and the external merchant NFC reader are un-trustable, which may introduce some treats to user s valuable data. To analyze these threats more detailed, threat model of NFC offline payment is built based on the DFD according to the common method of threat modeling[11,12,13]. 3. Threat modeling for NFC offline payment A threat identifies a potential illegal operation that would have some negative impacts on system security[14,15]. The vulnerability is an actual defect in system which would makes the system more vulnerable to be attacked. While the attack is the exploitation of vulnerability, and countermeasures are the architecture and implementations of the threat mitigation. The threat modeling for NFC offline payment would help the developer and designer to learn more about the threats[16], the targets and entries of attacks, and to evaluate the risk of each threat, and then to make the plan of threat migration Assumptions The threat analysis for NFC offline payment is conducted based on the following assumptions. (1) The issuer and acquirer are trustable in the payment system, and the communication between them is secure; (2) NFC phone can exchange data through SMS, GPRS or UMTS; (3) NFC phone has a secure element with functions of encryption, generation of RSA key pairs, secure storage, and has the capability of running some small payments software, and can communicate with NFC controller; (4) NFC phone has a physical or logical switch to turn on and off the NFC function Components and trust level The offline payment system based on NFC phone mainly includes such the following parts:

5 (1) Baseband processor: it is the most important part in common mobile phone, which is responsible for data transmission and receiving, and the digital signal processing for GSM, GPRS and UMTS. It also provides the interface to access the application and interactive with users. The other important function is to communicate with SIM module. The NFC enabled phone demand base band processor can provide a running environment for NFC application. Some applications installed in operating system can be running without user s intervening, and some applications with signature and some without, therefore, all applications running on baseband processor should be considered as the un-trustable level in the offline payment system. (2) Secure Element: It could be an independent unit, such as a SIM or SD card, and also could be an integrated part of NFC phone. The SE is mainly responsible for some secure functions such as encryption, decryption, signature, etc. It also provides the secure isolated storage for data and doesn t allow different applications access each other. It should support the dynamical allocation of space for users in SE, which can allow different commercial sectors to issue its own application and authentication. It also allow software to be downloaded into the specific space, installed and ran. SE is the trustable level. (3) NFC Controller: It also named NFC chip, which supports modulation and demodulation of signal in the wireless communication at 13.56MHz, and it works together with the antenna. It can support the existing RFID protocol and communicate with SE, and also support automatic switching between the three working modes previously described. It can be consider as the trustable level. (4) NFC POS: It is a part of merchant, which is responsible for collecting the user s data and the information of commodities to generate the order information. It also can help the merchant to identify the user and validate the user s evouchers. To the user, the merchant may be untrustable. (5) The issue and the acquirer bank: the former is the issuer of user s evouchers and the latter help merchants to clearance to get the actual money form the issue bank according to the received evouchers. They are all trustable. The overview of the entities involved and the data flow in NFC payment transaction shown in Figure Protected Assets The most important step in threat analysis is to make out what should be protected in the payment system after understanding the main components and trust level. The following assets should be protected in NFC offline payment system: (1). evoucher; (2). Secure Element; (3). Digital certificates, private key; (4). Transaction order form; (5). User s NFC Phone List of Treats This section gives an overview of threats that are relevant to NFC enabled phone offline payment system, and builds the attack scenarios that successful exploitation of each threat. Every entity and every connection between the entities may be hijacked. Therefore, it is very important to know which threat maybe lie in each entity and know how to prevent these attacks. In the following, we list these threats according to the different entries in DFD. (1) Eavesdropping on the RF communication The communication link defined in NFC ISO/IEC standard is wireless, user s NFC phone and merchant s NFC reader can exchange the data using the NDEF. This data format is suitable for exchanging electronic business cards or pairing information. If the application follows the protocol, it does not include encryption or authentication. Therefore the data transmission between NFC phone and NFC reader may be eavesdropped, these information include evouchers, user ID and order form.

6 Fortunately, the allowed distance of wireless communication between two NFC devices is usually less than 10 cm, which significantly reduces the likelihood of the RF communication being eavesdropped. Attack entry point: the wireless communication link between the NFC phone and the reader. (2) Secure element is damage or unusable If the SE is damaged, the NFC phone no longer been used as payment tool correctly. This may render the cryptographic keys and other private data in SE unusable, both for the genuine NFC user and the potential attackers. This attack may be due to a hardware fault or an attacker s intervention, such as a denial of attack. Any physical damage of SE should be detected easily by the NFC specific application. If this event occurs, the relevant operation and transaction must be revoked to avoid potential abuse of this hardware failure. Attack entry point: secure element itself. (3) Certificates or private keys are lost The attacker may obtain the secret data stored in SE, which would lead to SE be cloned. The attacker can use these parameters to impersonate the genuine user of that SE. This attack may be occurred if NFC phone user has not been properly trained to discover abnormal behaviors while (s)he is using his/her phone. Attack entry point: secure element itself. (4) Modification of the secure data in SE The attacker can update or insert new cryptographic keys or certificates without user s explicit approval, and the transactions information or evouchers also may be modified in illegal. Such the attacks may occur after an attacker has been authenticated and a session has been set up. If the SE contains a root certificate of a certification authority that the NFC phone user blindly trusts, the attacker can add an additional root certificate of a malicious party during the same session which has been authorized by user. By doing so, the malicious party can abuse the authorization by the original user. Attack entry point: To modify the secret data in SE during the session that was authorized. (5) SE been replaced The attacker may replace the SE of the target NFC user s phone when it out of the range of user s, and the replaced SE usually has been written some other secure data by the attacker. By this way, the attacker can impersonate the legitimate NFC user. Attack entry point: secure element. (6) Bypassing the access control mechanism of SE SE used for user authentication and confidentiality of data usually contains one or more signing keys and decryption keys. All usages of these keys must be protected by access control. Attacker may get some key parameters in SE then to clone the SE, and can get PIN or password by observation. By this way, the attacker can get all access authority of SE. This attack is very hard to counter as the attacker may be very well prepared, and the user may discover the abuse of NFC Phone much later than the moment of the attack. Attack entry point: access control mechanism of SE. (7) Remote operation on cryptographic keys The attacker may generate authentication or advanced electronic signatures using user s cryptographic keys by the malware installed in user NFC phone. The attacker also may gain this access through social engineering or after a successful Trojan Horse attack which can either reveal the legitimate user's PIN or password, or which immediately executes additional operations which were not authorized by the legitimate token user. By this way, the attacker can impersonate the legitimate user and abused secure functions of SE. Attack entry point: the applications running on operation system on NFC phone. (8) Modification of order information The attacker may have the chance to modify the user s order information or resend the old order form which would lead to user economic losses by using the malicious software installed on user s phone, such as Trojan horse code. Attack entry point: the applications running on operation system on NFC phone. (9) Impersonation of merchant The attacker may impersonate the merchant to trade with user, and forge the order form to deceive the user.

7 Attack entry point: the payment receiver, or merchant. (10) Man-in-the-middle attack Attacker can hijack a session between the user and merchant, then incept the user payment information, and to impersonate the genuine merchant to get the user s evouchers. Attack entry point: the session of transaction. (11) Duplication of evouchers The duplication include two aspects, one is the duplication of evouchers issued by issue bank in user NFC phone, the other is the duplication of the evouchers paid by user in merchant s NFC payment terminals, which would lead to the losses of user s money. Attack entry point: the evouchers itself Countermeasures To eliminate or alleviate the security threats of NFC based phone offline payment system, the mitigation plan can be made from two aspects: technique and usage. Technical solutions are based on some security mechanisms used in all the different components of the system. While the usages emphasize the matters and security rules to which users should pay more attention in the transaction. The following gives the threats mitigation plan from the two aspects: (1) Technical solutions 1) Secure mechanisms for SE Access control mechanism for SE, such as to restrict the numbers of PIN or password trials, and set a life-cycle and a fixed number of operations that can be performed for each user authentication ; The mechanism of cryptographic keys recovery, but it should not be able to recovery data which the user has invalidated; Confidential data stored in cryptograph ; The transaction records should be time stamp to deter the relay or substitution attack; Detect the integrity of NFC hardware, especially the main modules of NFC, and support the bilateral authentication between SE and baseband chip; Forbid loading or even downloading the software without signatures. 2) Security mechanism for baseband chip Detect the integrity and authenticity of applications running in NFC phone; Prevent the hijacking of PIN; Set a specific secure domain for each application, and restrict accessing other application s private data; The sensitive data that handled by the application should avoid being extracted the secret information on this data, even if the memory is dumped; Bilateral authentication with SE; 3) Secure mechanisms for NFC chip To avoid being read arbitrarily the ID or tag in NFC chip by other NFC device, NFC chip should support the function of turning on and off the NFC module. (2) Usages solutions 1) Security Awareness to users Some security awareness should be trained to users who use the NFC phone in offline payment. It includes that the user should know how to correctly use their NFC phone, how to spot potential attacks and deal with the threats latent in NFC phone, how to prevent their phone from being stolen, lost or damaged, and how to keep their PIN or password secret, and set a secure password for your phone. 2) Secure guard of operate system and applications The right using of phone OS and applications, to avoid download malicious software; Installing anti-virus and firewall software. Additionally, it is also important to user to pay more attention to the alarm information generated by security software.

8 4. Conclusions NFC enabled phone is the mobile phone combined with RFID, which is very fit for applications in mobile payment. NFC offline payment is an important application scenario of electronic wallet, which is convenience for transferring of electronic money between users. In reality, the user is most concerned about the secure problems of the payment based on NFC enabled phone. With assumptions that the issuer and acquirer banks are trustable, the paper pays more attention to the secure problems existing potentially in NFC phone in the transaction. Some problems are introduced by the NFC technology itself, while some come from the combination of NFC and mobile applications. Using the method of threat modeling, a more complete and comprehensive threat list is given for NFC enabled phone used in offline payment. Some threats can be eliminated by the secure technologies with NFC itself, while some can be mitigated only by the more complicated secure solution that is involved with applications and users. Finally, a detailed and feasible countermeasure plan is given from perspective of secure technology and usage. It not only includes the secure mechanism adopted in NFC chip, SE and applications, but also emphasizes the secure matters that should be aware by users. Only these threats are realized and corresponding mitigation plan is fulfilled, a more secure NFC offline payment system can be implemented for us. 5. References [1] ISO/IEC14443 Identification cards-contactless integrated circuit cards-proximity cards [2] Information technology - Telecommunications and information exchange between systems -Near Field Commnication-Interface and Protocol(NFCIP-1), ISO/IEC18092, First Edition, [3] Sunil K. Timalsina and Sangman Moh, "A Review on NFC and NFC-Based Mobile Payment Solution", JNIT, Vol. 3, No. 4, pp , [4] Y.A. Au & R.J. Kauffman, The economics of mobile payments: Understanding stakeholder issues for an emerging financial technology application, Journal of Electronic Commerce Research and Applications, vol. 7, no. 2, pp , [5] W. Chen, G. P. Hancke, K. E. Mayes, Y. Lien, J.-H. Chiu, NFC Mobile Transactions and Authentication Based on GSM Network, In Proceedings of the 2010 Second International Workshop on Near Field Communication, pp.83-89, [6] Gergely Alpár, Lejla Batina, Roel Verdult, Using NFC phones for proving credentials, In Proceedings of the 16th international GI/ITG conference on Measurement, Modelling, and Evaluation of Computing Systems and Dependability and Fault Tolerance, pp.1-14, [7] Gauthier Van Damme, Karel M. Wouters, Hakan Karahan, Bart Preneel, Offline NFC payments with electronic vouchers, In Proceedings of the 1st ACM workshop on Networking, systems, and applications for mobile handhelds, pp.25-30, [8] JSR177 Experts Group, Security and Trust Services API(SATSA) V2.1 for J2ME org/aboutjava/communityprocess/final/jsr177/index.html [9] JSR257 contactless communication API 1.0, final/ jsr-257/index.htm [10] Wei Gong, Yan Ma, Yang Zhang, Ping Chen, "Research of NFC Technology on Smartphones", IJACT, Vol. 4, No. 18, pp , 2012 [11] P.Torr, Demystifying the Threat-Modeling Process, Journal of IEEE Security and privacy, vol. 03, no.5, pp66-70, [12] A. Shostack. Threat Modeling Series threat+modeling /default.aspx. published and [13] F. Swiderski and W.Snyder, Threat modeling, Redmond, Microsoft Press Corp,USA,2004. [14] R.S. Poore, International Information Security Foundation, Generally Accepted System Security Principles Release for Public Comment, [15] G. Elahi, E.A.Yu, Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs, In Proceedings of the 26th international conference on Conceptual modeling. Auckland, pp , [16] E. Haselsteiner, B. Klemens, Security in near field communication, In Proceedings of workshop on RFID Security, pp.1-11, 2006.