Contactless Payments with Mobile Wallets. Overview and Technology

Contactless Payments with

Mobile Wallets

History of Contactless Systems

Upass –

(smartcard) a pre-paid card for the transportation system in Seoul and its suburbs, first used in June 1996.

Octopus Card

– (smartcard) a rechargeable contactless stored value smart card for making electronic payments in online or offline

systems in Hong Kong. Launched in September 1997 to collect fares for the territory's mass transit system, the Octopus card system is the

second contactless smart card system in the world, after Upass, and has since grown into a widely used payment system for all public transport in Hong Kong. The Octopus card was introduced for fare

payment on the MTR initially, but the use of the card quickly expanded to other retail businesses in Hong Kong. The card is now commonly used in most, if not all, major public transport, fast food restaurants, supermarkets, vending machines, convenient stores, photo booths,

parking meters, car parks and many other retails business where small payment are frequently made by customers.

History of Contactless Systems

Mobile Speedpass

– (keytag) Introduced in 1997, It was originally developed by Verifone. At one point, Speedpass was deployed

experimentally in fast-food restaurants and supermarkets in select markets. McDonald's alone deployed Speedpass in over 400 Chicago area restaurants. Additionally, Stop & Shop grocery chain tested

Speedpass at their Boston area stores, but removed the units in early 2005. The test was deemed a failure and McDonald's removed the scanners from all their restaurants in mid 2004.

Current Contactless Credit Cards

Credit card companies launched contactless credit cards in 2005. Other form factors were also available, including miniature keyring credit

cards and key tags (similar to Mobile SpeedPass).

Contactless runs over the same chip and PIN network as normal credit and debit card transactions, there is a payment limit on single

transactions and contactless cards can only be used a certain number of times before customers are asked for their PIN. Contactless debit and credit transactions are protected by the same fraud guarantee as standard transactions.

Contactless Credit Card Types

Contactless MSD (magnetic swipe data)

Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only

distributed in the USA. Payment occurs in a similar fashion to mag-stripe, without a PIN and often in off-line mode (depending on

parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the chip cryptographically generates a code which can be verified by the card issuer's systems.

Contactless Credit Card Types

Contactless EMV (Europay Mastercard Visa)

Contactless EMV cards have two interfaces (contact and contactless) and work as a normal EMV card via their contact interface. The

contactless interface (a small chip embedded in the card, similar to current PIV/CAC) provides similar data to a contact EMV transaction, but usually a subset of the capabilities (e.g. usually issuers will not allow balances to be increased via the contactless interface, instead requiring the card to be inserted into a device which uses the contact interface). EMV cards may carry an "offline balance" stored in their chip, similar to the electronic wallet or “purse” that users of transit

Merchant Side

American Express – ExpressPay (introduced in 2005) MasterCard – PayPass (introduced in 2005)

Visa – payWave (introduced in 2007) Discover – Zip

Standards for Contactless Smartcards

ISO/IEC 14443 -

Identification cards -- Contactless integrated circuit cards -- Proximity cards

—

 

ISO/IEC 14443-1:2008 Part 1: Physical characteristics

—

 

ISO/IEC 14443-2:2010 Part 2: Radio frequency power and signal interface

—

 

ISO/IEC 14443-3:2011 Part 3: Initialization and anticollision

Wi-Fi

Wi-Fi: Already dominated for internet usage, Wi-fi’s responsibilities are now beginning to include mobile payments over the internet.

Information that would be be communicated would include any information that may be stored for convenience.

•

 

Passwords

•

 

Credit/Debit Cards

Wi-Fi

Wi-Fi Encryption/Authentication has been in place for years. In this case,

Over Wi-Fi, the passed data can include:

—

 

Location Information

—

 

Financial Information

—

 

Billing Address

—

 

Credit Card Information

—

 

Transaction Information (What was purchased, How Much? Etc.)

—

 

What was purchased?

Near Field Technology

NFC enables devices to share information at a distance less than 4

centimeters with a maximum communication speed of 424kbps. Users can share business cards, make transactions, access information from smart posters or provide credentials for access control systems with a simple touch.

NFC’s bidirectional communication ability can establish connections with other technologies.

NFC is prominent in newer Android Phones and is used because of the ease of use and battery performance compared to Bluetooth.

NFC Vulnerabilities

NFC itself is not encrypted in any way.

Eavesdropping is a possibility, as the transmission occurs over regular RF waves. With the appropriate knowledge and equipment one could eavesdrop on the information being transmitted.

NFC signals can also be modified through Man-in-the-Middle attacks in which a nearby device can potentially intercept and change values of the transmission to which the recipient unknowingly accepts the modified information.

NFC Players (Hardware)

—

 

Feature Phones:

—  Samsung Galaxy S3/S4

—  Samsung Galaxy Note 1/2

—  Motorola Razr Maxx HD

—  Nexus 4

—  Windows Phone

—  LG Optimus G

—

 

Smartphones: Acer, Blackberry, HTC, LG, Motorola, Nexus, Nokia, Samsung, Sony

NFC Players (Operating Systems)

—

 

Android

—

 

Blackberry OS

—

 

Windows Phone/8

—

 

Symbian

—

 

Bada(Samsung’s Native OS)

NFC Players

(Customer-side Wallet Applications)

—

 

Square Wallet (Square, Inc.)

—

 

Google Wallet (Google, Inc.)

The Secure Element

Payment card or other information is encrypted and stored on the Secure Element, which is a dedicated hardware component that

operates independently from the rest of the phone and limits access to certain apps.

The Secure Element

Embedded Secure Elements (Universal Integrated Circuit Card)

This type of element is built into the phone at the time of manufacture. Pros:

•

 

Provides a common architecture for application developers

•

 

More tamper resistant

•

 

Less costly Cons:

The Secure Element

Secure Element Within the SIM Pros:

•

 

Relatively secure, can link SIM serial numbers to individuals or devices

•

 

Portable between phones

•

 

Can be managed over the air to wipe if the device is lost/stolen Cons:

•

 

Carriers own the SIM, and can control which third party they grant access to (Verizon is currently not allowing Google

The Secure Element

Secure Element Within a MicroSD Card Pros:

•

 

The microSD can be issued by a financial institution or mobile network operator as a credit, debit, prepaid or a multiple

account digital wallet or for secure access and entry.

•

 

Simple implementation

•

 

Portable Cons:

•

 

Portable

•

 

Physical characteristics of the device can be limiting; physical location, antenna size, casing material, protective covers

•

 

MicroSD can only support a single application or payment account

•

 

Lack of standardizations between MicroSD and NFC Controller may be an issue

Square Wallet

Square Wallet works with merchants that use Square Register

Uses NFC for enabled phones, and QR codes for the register to scan for non-NFC enabled phones. Compatible with Apple devices running iOS 5 and up, and Android devices running Android 2.2 and up.

Users must “check-in” through the app, their photos appear on the

merchant side application. The merchant clicks on the matching photo, scans the QR code or swipes the NFC phone, and payment is made.

Square Wallet – Security Features

Card processing applications adhere to PCI Data Security Standard (PCI-DSS) Level 1.

Square prohibits the storage of card numbers, magnetic stripe data and security codes on client devices.

Square requires sensitive data to be encrypted using industry-standard methods when stored on disk or transmitted over public networks.

Square Wallet

In this case however, Square has ensured that this information is encrypted. In this instance, Square Wallet, a mobile Wallet alternative from Square

uses Wi-Fi to to record the transactions being made. In this case, some of the data transfers can show up within monitoring programs

Google Wallet

Requires NFC for in-store purchases

When setting up credit or debit cards in the Google Wallet mobile app, a virtual prepaid MasterCard card will be issued by Bancorp. When paying in-store by tapping the phone, Google Wallet passes the virtual card to the merchant for payment, and charges the selected credit or debit card for the purchase. Credit or debit cards are linked to the Google Wallet account, which in turn is connected to your virtual prepaid MasterCard card.

The virtual prepaid MasterCard information is stored on the phones Secure Element, no actual card information is on the device. Verizon is currently not licensing secure element space to Google, so this app is not available to Verizon users.

Google Wallet – Security Features

Google Wallet PIN (in addition to the phone’s lock screen) Remote control disables the device from being used

Credit card numbers are stored on Google encrypted servers, only the virtual account information is stored on the device

Does not share actual credit card number with merchants, only passes the virtual MasterCard number

ISIS Mobile Wallet

Developed as a joint venture between AT&T, Verizon, and T-Mobile, currently in testing in Texas and Utah.

Requires NFC SIM (different than regular SIM), available from the mobile carriers in the test cities.

Uses the four big credit card contactless systems (MC PayPass, Visa Paywave, AmEx ExpressPay, Discover Zip).

Currently only supports Capitol One, Chase and AmEx, and the credit card company has to approve the request.

ISIS Mobile Wallet – Security Features

Payment card credentials are stored in the secure element.

The Wallet is accessed by a user-selected PIN, adding another layer of protection.

A single call to your wireless carrier or visit to our website can freeze the wallet, disabling payment cards within the Wallet.

Access Barriers

In most cases applications and even phones have their usual safeguards against theft however, additional security includes:

—  Forcing users to enter CCV values for every transaction in which a card

is used.

—  Once Credit Cards have been entered, information is then hidden.

Many e-Wallet applications such as Square and Passbook can store

login sessions, this allows the application to be accessed again, without a secure login.

Access Barriers

Two-Factor Authentication can be provided in which a password, as well as randomly generated code from another source must be provided in succession in order to log into some systems.

In some applications, all transactions and accounts are monitored and audited in order to prevent stolen information.

With obvious theft in which mobile wallet applications without access barriers can be used to make purchases just like a regular credit card/ cash.

Who is Storing What Where?

For both iOS and Android, applications share these qualities:

—  All application information is stored within a relevant folder containing

the application itself as well as relevant information regarding the application.

—  This includes all stored variables such as user names, passcodes.

Additionally, on certain poorly written applications credit cards, magnetic strip info, pins, and security codes can be saved onto the device.

—  Additionally, potential business transactions can be saved onto the

Security - Apple Devices

In this case, most all applications rely upon the hardware encryption provided by the device.

—  Since iOS 3, the iPhone has implemented hardware encryption

—  Apple’s Hardware Encryption is currently 256-bit AES encryption.

Apple Devices do not allow installation of 3rd _{party applications onto the} device.

Apple prohibits the use of File Browsers and user root access. Only through jail breaking is this possible.

Security - Android Devices

In this case, most all applications rely upon the hardware encryption provided by the device.

—

 

Due to the multitude of hardware, Android devices have varying

encryption.

—

 

Android versions up until Version 3 did not include encryption.

—

 

Android key’s are not stored into the hardware of the device, therefor they can be extracted.

—

 

Android key’s are not stored into the hardware of the device, therefor they can be extracted.

—

 

Android does posses the ability to have a full-disk encryption, if required.

Malware-ridden 3rd_{-Party applications can exist on various Application} Markets

Encryption - Transmission

For most ‘Wallet’ and ‘Payment Apps’ there are various transmission protocols that are used for transmission. Protocols include:

—  (Minimum) 128 bit SSL

—  PGP (Pretty Good Privacy) Encryption

From this, Wi-Fi Security comes into play, which depends on the security of your network.

NFC transmissions contain no encryption and as a result can immediately be monitored by outside clients

Physical Card Readers often perform data encryption the moment the card has been read.

Jailbreak/Root Vulnerabilities

As of February 6th_{, 2013 the recent Evasi0n jailbreak, at has jailbroken} at least 9,838,098 devices on the latest iOS for iPhone (6.1.2).

When a device is jailbroken, this brings additional causes for concern. When a device is jailbroken/rooted, a device can access the file system, as well as valuable information over Wi-Fi.

In most cases an attacker can simply SSH into the iPhone as the credentials are rarely changed.

Jailbreak/Root Vulnerabilities

Once a device is jailbroken/ Rooted, additional access to files is allowed.

In this case, we can see the location of Payment

Histories, as well as the application itself.

Jailbreak/Root Vulnerabilities

Additionally, applications can be decrypted and show the code used to create the application. In this case, tools were used to decrypt and gather Objective-C and arm code of Square Wallet. This technique however can work with any iOS application.

Jailbreak/Root Vulnerabilities

Here is the same process, however this time, the program has been

About PaRaBaL

PaRaBaL, Inc. founded in 2009 is located in the University of Maryland, Baltimore County (UMBC) Research Park in Catonsville, MD. In early 2011 PaRaBaL was awarded a contract from a US Government Agency to develop and teach an iOS security specialist training course, making PaRaBaL the first company to be awarded a US Government iOS

security training contract. PaRaBaL has gone on to expand its expertise in the field of mobile security to cover Android security training, mobile application development and mobile device management. With this

pedigree, PaRaBaL is uniquely suited to take on tough research tasks in computer related cyber activities.