How Secure are Contactless Payment Systems?

Similar documents

EMV and Small Merchants:

EMV-TT. Now available on Android. White Paper by

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

What Merchants Need to Know About EMV

Preparing for EMV chip card acceptance

Frequently asked questions - Visa paywave

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

Mobile Near-Field Communications (NFC) Payments

Apple Pay. Frequently Asked Questions UK

Mobile Payment: The next step of secure payment VDI / VDE-Colloquium. Hans-Jörg Frey Senior Product Manager May 16th, 2013

About Visa paywave for mobile

Apple Pay. Frequently Asked Questions UK Launch

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

EMV and Restaurants What you need to know! November 19, 2014

INTRODUCTION AND HISTORY

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

Making Cloud-Based Mobile Payments a Reality with Digital Issuance, Tokenization, and HCE WHITE PAPER

BGS MOBILE PLATFORM HCE AND CLOUD BASED PAYMENTS

Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

Digital Payment Solutions TSYS Enterprise Tokenization:

Payments Transformation - EMV comes to the US

Introductions 1 min 4

Bringing Mobile Payments to Market for an International Retailer

Mitigating Fraud Risk Through Card Data Verification

SETUP GUIDE. Thank you for your purchase of Hamilton products! In this handy guide, you will discover: ADDITIONAL REQUIREMENTS SETUP HOW IT WORKS

Android pay. Frequently asked questions

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

Be*PINWISE Cardholder FAQs

permitting close proximity communication between devices in this case a phone and a terminal.

What is EMV? What is different?

PCI and EMV Compliance Checkup

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

SAS EuroBonus. Travel Cash. Frequently Asked Questions

MasterCard Contactless Reader v3.0. INTRODUCTION TO MASTERCARD CONTACTLESS READER v3.0

Consumer FAQs. 1. Who is behind the BuySafe initiative? 2. Why should I use a PIN? 3. Do all transactions need a PIN?

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

The future of contactless mobile payment: with or without Secure Element?

Apple Pay Questions & Answers

EESTEL. Association of European Experts in E-Transactions Systems. Apple iphone 6, Apple Pay, What else? EESTEL White Paper.

The Hang Seng Mobile Payment - FAQs

Latest and Future development of Mobile Payment in Hong Kong

OpenEdge Research & Development Group April 2015

Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

EMV : Frequently Asked Questions for Merchants

EMV Frequently Asked Questions for Merchants May, 2014

Chip Card (EMV ) CAL-Card FAQs

CPIM Academy. Cash 257 Merchant Services and Revenue Collection

The EMV Readiness. Collis America. Guy Berg President, Collis America

Payments Security White Paper

Entrust IdentityGuard

mobile payment acceptance Solutions Visa security best practices version 3.0

Electronic Payments Part 1

Credit Card Processing Overview

GLOBAL MOBILE PAYMENT TRANSACTION VALUE IS PREDICTED TO REACH USD 721 BILLION BY MasterCard M/Chip Mobile Solution

HSBC Visa Debit Card. Making the most of your card. HSBC Customer Service Centre. Go to hsbc.com.au/debit

How To Secure A Paypass Card From Being Hacked By A Hacker

NACCU Migrating to Contactless:

How To Make Money From Mobile Payment On Wirecard

Visa Recommended Practices for EMV Chip Implementation in the U.S.

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

PayPass M/Chip Requirements. 10 April 2014

E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014

How To Use Payclip On A Credit Card On A Payclip

NFC technology user guide. Contactless payment by mobile

FAQ Credit Card (PIN & PAY)

CardControl. Credit Card Processing 101. Overview. Contents

Visa Reloadable Frequently Asked Questions. EMV Travel Card

EMV in Hotels Observations and Considerations

EMV Acquiring at the ATM: Early Planning for Credit Unions

EMV Chip and PIN. Improving the Security of Federal Financial Transactions. Ian W. Macoy, AAP August 17, 2015

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

Understand the Business Impact of EMV Chip Cards

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

MOBILE NEAR-FIELD COMMUNICATIONS (NFC) PAYMENTS

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses. National Computer Corporation

Bringing Security & Interoperability to Mobile Transactions. Critical Considerations

EMV: A to Z (Terms and Definitions)

CyberSource and NetSuite Getting Started Guide

The Canadian Migration to EMV. Prepared By:

FUTURE PROOF TERMINAL QUICK REFERENCE GUIDE. Review this Quick Reference Guide to. learn how to run a sale, settle your batch

How to connect your D210 using Bluetooth. How to connect your D210 using GPRS (SIM Card)

Card Technology Choices for U.S. Issuers An EMV White Paper

ACI TOKEN MANAGER FOR MOBILE: TOKEN SERVICE PROVISION, HCE AND EMBEDDED SECURE ELEMENT IN THE CLOUD

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Transcription:

SESSION ID: HT-W01 How Secure are Contactless Payment Systems? Matthew Ngu Engineering Manager RSA, The Security Division of EMC Chris Scott Senior Software Engineer RSA, The Security Division of EMC

2

Some threat scenarios Can an attacker stand behind me and charge my card? Can an attacker read my EMV card? Can an attacker mount a high power reader in a van? Replay attacks? Can you think of anything else? 3

Global Adoption 4

Some US Statistics 0.03% of transactions are EMV. 50,000 unique merchant terminal locations processed EMV transactions in 2014, compared to an estimated 12 million terminals that didn t do a single EMV transaction. Apple Pay and Google Wallet are currently only available in the US. To the end of November 2014, Apple Pay accounted for 1.7% of mobile payments whilst Google Wallet had a 4% share. Apple: $2 of every $3 spent in contactless transactions in the US in the lead up to Christmas were made via Apple Pay. 5

How does it work?

How does it work? Contactless Cards VISA PayWave / MasterCard PayPass Google Wallet Apple Pay 7

How does it work? Contactless Cards Contactless cards use Near Field Communications (NFC) to send and receive data from the terminal using inductive coupling. Source: rfid-handbook.de 8

How does it work? PayWave / PayPass

How does it work? PayWave / PayPass Wait for merchant to enter amount. 10

How does it work? PayWave / PayPass Reader uses NFC to send and receive information with your card. 11

How does it work? PayWave / PayPass Dynamic data unique to every purchase protects your transaction data. 12

How does it work? Google Wallet

How does it work? Google Wallet Prerequisites 14

How does it work? Google Wallet Setup Login to your Google account. 15

How does it work? Google Wallet Setup Enter your credit card details on wallet.google.com. 16

How does it work? Google Wallet Setup Verify your identity by providing Personally Identifiable Information (PII) such as name, address, date of birth, last four digits of Social Security Number (SSN) or Individual Taxpayer Identification Number (ITIN). 17

How does it work? Google Wallet Setup Create your Wallet PIN (different to phone PIN). 18

How does it work? Google Wallet Setup A MasterCard -branded virtual prepaid debit payment card product, the Google Wallet Virtual Card, issued by Bancorp Bank will be installed on your phone. 19

How does it work? Google Wallet - Payments Add money to your Wallet (website or mobile app). 20

How does it work? Google Wallet - Payments Bring the phone up to an NFC-enabled terminal. 21

How does it work? Google Wallet - Payments Phone will ask you to authenticate the payment with Wallet PIN. 22

How does it work? Google Wallet - Payments Phone transmits the Google Wallet Virtual Card information to the merchant's terminal, not your real credit card information stored on Google's servers. Transaction completed as normal using credentials for current payment only. 23

How does it work? Apple Pay

How does it work? Apple Pay Prerequisites or 25

How does it work? Apple Pay - Setup 26

How does it work? Apple Pay - Setup continued DAN 0000-1234- 5678-9100 DAN 0000-1234- 5678-9100 27

How does it work? Apple Pay Payments Bring the phone or watch up to an NFC-enabled terminal. 28

How does it work? Apple Pay Payments DAN 0000-1234- 5678-9100 DAN 0000-1234- 5678-9100 Merchant Acquirer/ Processor DAN 0000-1234- 5678-9100 DAN 0000-1234- 5678-9100 29

How does it work? Comparison Contactless Implementation Pay Wave/ Pay Pass Google Wallet Apple Pay Stores Primary Account Number (PAN) Yes, in secure element on card Yes, on Google servers in cloud No, PAN only required during registration Customer Authentication None below threshold amount, PIN or signature above threshold amount PIN (different from phone unlock PIN) itouch or Passcode 30

Security Analysis

What are the Security Features? Secure Element, Trusted Execution Environments. EMV for preventing card fraud. 32

From EMVCo: PKI 33

What is protected with EMV? Authenticity of the cards (protects against counterfeit cards). Payment transactions by adding dynamic data unique to each transaction. PINs and keys stored in secure part of card (TEE or SE). PIN encrypted between PIN pad and card. A standard is only as good as its implementation. 34

What are the Security Features? Payment tokens for protecting PAN. 35

What is protected with tokenisation? PAN and card expiry date are protected. Viability of stolen data is minimised by limiting the domain in which the token is valid. Merchant liability is limited by not processing or storing actual cardholder PAN. 36

What are the Security Features? Multi factor authentication during payment transaction (Wallet and Pay). Contactless card does not need to leave your hand for payment. 37

What are the weak points and threats? Stolen EMV contactless card can be used to make small payments (below PIN limit). Malware on the device or reader. Stolen card details can possibly be registered with electronic wallets and then used depending on ID&V process of Issuer. Static authentication data. 38

The threat scenarios again Can an attacker stand behind me and charge my card different amounts in quick succession? Can an attacker read my EMV card and encode PAN on a mag stripe card? Can an attacker mount a high power reader in a van? Replay attacks? 39

How can I APPLY what I have learned?

If I am a Merchant, Bank, Processor Use a combination of EMV and (back-end) tokenisation. Realtime authorization, ie no offline transactions. Phase out mag stripe cards data from chip card can be transferred onto mag stripe. Do not send activated cards by mail. Monitor usage patterns and implement other fraud detection measures. Secure issuer and card private keys; card MAC master keys. Isolate from corporate network and include physical interlocks for access. Biometric authentication on card or just simple button that has to be pressed to enable chip to be energized. 41

If I am a Consumer? Do metal card sleeves really work? Tell your bank when you travel. Check your statements regularly. Protect your PIN. Enable iphone locate my phone feature. Set limits on transactions. 42

Summary EMV Contactless, Google, Apple Pay Contactless payments systems are not fraud-proof. But more secure than mag stripe-based systems. More/as convenient, more secure than cash. Mostly simple measures can be taken to improve security. Novel approaches are required to improve convenience and bring down cost of implementation. 43

Any Questions? Matthew Ngu: matthew.ngu@rsa.com Chris Scott: chris.scott@rsa.com 44