Security Assessment of the Spanish Contactless Identity Card

The theft of personal information to assume the identity of a person is a common threat. Individual criminals, terrorists, or crime rings normally do it to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire on-line products such as mortgages or loans, was updated to incorporate a Near Field Communication (NFC) chip as electronic passports do. This contactless interface brings a new attack vector for these criminals, who might take advantage of the RFID communication to secretly steal personal information. In this paper, we assess the security of contactless Spanish identity card against identity theft. In particular, we evaluated the resistance of one of the contactless access protocol against brute-force attacks and found that no defenses were incorporated. We suggest how to avoid brute-force attacks. Furthermore, we also analyzed the pseudo-random number generator within the card, which passed all performed tests with good results.MINECO CyCriSec (TIN2014-58457-R).University of Zaragoza and Centro Universitario de la Defensa UZCUD2016-TEC-06.Project TEC2015-69665-R (MINECO/FEDER, UE)

Security assessment of the Spanish contactless identity card

The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies Recently, the Spanish identity card, which provides enough information to hire online products such as mortgages or loans, was updated to incorporate a near-field communication chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the radio-frequency identification communication to virtually steal personal information. In this study, the authors consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, they evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defences against online brute-force attacks were incorporated. They then suggest two countermeasures to protect against these attacks. Furthermore, they also analysed the pseudo-random number generator within the card, which passed all the performed tests with good results

Ataques de retransmisión inteligente en protocolos de pago NFC

La inclusión de nuevas medidas de seguridad en las tarjetas de pago a crédito o a débito ha mejorado notablemente la seguridad con la que se realizan estas transacciones. De realizar operaciones usando la banda magnética de las tarjetas (siendo una tecnologı́a muy insegura) se pasó a usar un chip electrónico, con las llamadas tarjetas EMV o tarjetas chip-and-PIN (tecnologı́a algo más segura). Estas tarjetas implementan el protocolo EMV (de donde toman su nombre), que permite autorizar las transacciones realizadas con la tarjeta mediante la introducción de un código numérico personal (PIN) por parte del titular de la tarjeta. Dichas tarjetas EMV han sido recientemente actualizadas con la adición de un chip que permite la comunicación inalámbrica. Estas nuevas tarjetas, denominadas tarjetas contactless, permiten realizar pagos aproximando únicamente la tarjeta al punto de venta, es decir, sin necesidad de insertarlas en un lector de chip. Además, si la cuantı́a del pago no supera cierto lı́mite se elimina la obligatoriedad de autorizar la transacción mediante un PIN. La comunicación inalámbrica de las tarjetas contactless se basa en el protocolo de comunicación en el campo cercano o Near Field Communication (NFC), que usa la banda de alta frecuencia de Radio Frequency IDentification (RFID). Debido a que NFC no introduce seguridad ni cifrado en la realización de las comunicaciones, la adopción de esta tecnologı́a en las tarjetas permite investigar nuevas formas de atacar a las transacciones realizadas. Por ejemplo, pueden realizarse ataques eavesdropping realizando escuchas en las perturbaciones del campo electromagnético, ası́ como ataques man-in-the-middle permitiendo la inserción, manipulación o corrupción de los datos. Este proyecto se centra en los riesgos introducidos relativos a los ataques de retransmisión, permitiendo realizar una comunicación entre una tarjeta de crédito o débito y un punto de venta malicioso separados por una distancia arbitrariamente grande. Paralelamente a la realización de estos experimentos, se detallan las mejoras introducidas a la aplicación Android NFCLeech. Esta aplicación es un prototipo inicialmente desarrollado en 2014 para probar los ataques de retransmisión y que ahora permite realizar las pruebas de concepto relativas a los ataques de retransmisión extendidos en este trabajo, ası́ como una mejor depuración de la retransmisión de los mensajes y el protocolo utilizado para realizar los pagos

Does the online card payment system unwittingly facilitate fraud?

PhD ThesisThe research work in this PhD thesis presents an extensive investigation into the security settings of Card Not Present (CNP) financial transactions. These are the transactions which include payments performed with a card over the Internet on the websites, and over the phone. Our detailed analysis on hundreds of websites and on multiple CNP payment protocols justifies that the current security architecture of CNP payment system is not adequate enough to protect itself from fraud. Unintentionally, the payment system itself will allow an adversary to learn and exploit almost all of the security features put in place to protect the CNP payment system from fraud. With insecure modes of accepting payments, the online payment system paves the way for cybercriminals to abuse even the latest designed payment protocols like 3D Secure 2.0. We follow a structured analysis methodology which identifies vulnerabilities in the CNP payment protocols and demonstrates the impact of these vulnerabilities on the overall payment system. The analysis methodology comprises of UML diagrams and reference tables which describe the CNP payment protocol sequences, software tools which implements the protocol and practical demonstrations of the research results. Detailed referencing of the online payment specifications provides a documented link between the exploitable vulnerabilities observed in real implementations and the source of the vulnerability in the payment specifications. We use practical demonstrations to show that these vulnerabilities can be exploited in the real-world with ease. This presents a stronger impact message when presenting our research results to a nontechnical audience. This has helped to raise awareness of security issues relating to payment cards, with our work appearing in the media, radio and T

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Knowledge and Management Models for Sustainable Growth

In the last years sustainability has become a topic of global concern and a key issue in the strategic agenda of both business organizations and public authorities and organisations. Significant changes in business landscape, the emergence of new technology, including social media, the pressure of new social concerns, have called into question established conceptualizations of competitiveness, wealth creation and growth. New and unaddressed set of issues regarding how private and public organisations manage and invest their resources to create sustainable value have brought to light. In particular the increasing focus on environmental and social themes has suggested new dimensions to be taken into account in the value creation dynamics, both at organisations and communities level. For companies the need of integrating corporate social and environmental responsibility issues into strategy and daily business operations, pose profound challenges, which, in turn, involve numerous processes and complex decisions influenced by many stakeholders. Facing these challenges calls for the creation, use and exploitation of new knowledge as well as the development of proper management models, approaches and tools aimed to contribute to the development and realization of environmentally and socially sustainable business strategies and practices