Our research shows that its possible to use NFC mobile phones to relay the signals from a Visa payWave or Mastercard PayPass bank card to a payment terminal. This can be done even if the card is inside a wallet or a purse, so making it possible to wirelessly pick pocket someone and charge purchases to their bank cards without their knowledge.
The designs of the current payment protocols make it hard to stop this kinds of attack; all of the message can either be cashed by the relay or take an unpredictable amount of time. In fact, with the current protocol we can relay the signals over any distance and we have relayed a signal from a card in New York and Puerto Rico to a payment terminal in Birmingham UK and made a successful transaction.
We propose a very small change to the payment protocol that will stop these kinds of attacks. By moving two of the message payloads, we can add a message to the protocol that cannot be cached and takes a very predictable amount of time. So this message can be timed to stop relay attacks which use cheap, easily available equipment, such as mobile phones.
Details of our work are described in the paper
- Relay Cost Bounding for Contactless EMV Payments (FC 2015), by Tom Chothia, Flavio D. Garcia, Joeri de Ruiter, Jordi van den Breekel, and Matthew Thompson.
which was published at the 19th International Conference on Financial Cryptography and Data Security.