Nfc payment spy: A privacy attack on contactless payments

Abstract

In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card collision and that instead it should notify the payer. In comparison, the ISO/IEC 14443 standard specifies that the reader should choose one card based on comparing the UIDs of the cards detected in the field. However, our observations show that the implementation of contactless readers in practice does not follow EMV’s card collision algorithm, nor does it match the card collision procedure specified in ISO. Due to this inconsistency between the implementation and the standards, we show an attack that may compromise the user’s privacy by collecting the user's payment details. We design and implement a malicious app simulating an NFC card which the user needs to install on her phone. When she aims to pay contactlessly while placing her card close to her phone, this app engages with the terminal before the card does. The experiments show that even when the terminal detects a card collision (the app essentially acts like a card), it proceeds with the EMV protocol. We show the app can retrieve from the terminal the transaction data, which include information about the payment such as the amount and date. The experimental results show that our app can effectively spy on contactless payment transactions, winning the race condition caused by card collisions around 66% when testing with different cards. By suggesting these attacks we raise awareness of privacy and security issues in the specifications, standardisation and implementations of contactless cards and readers.