9 research outputs found
Security Assessment of the Spanish Contactless Identity Card
The theft of personal information to assume the identity of a person is a common threat.
Individual criminals, terrorists, or crime rings normally do it to commit fraud or other felonies.
Recently, the Spanish identity card, which provides enough information to hire on-line products such as mortgages or loans, was updated to incorporate a Near Field Communication (NFC) chip as electronic passports do. This contactless interface brings a new attack vector for these criminals, who might take advantage of the RFID communication to secretly steal personal information. In this paper, we assess the security of contactless Spanish identity card against identity theft. In particular, we evaluated the resistance of one of the contactless access protocol against brute-force attacks and found that no defenses were incorporated. We suggest how to avoid brute-force attacks. Furthermore, we also analyzed the pseudo-random number generator within the card, which passed all performed tests with good results.MINECO CyCriSec (TIN2014-58457-R).University of Zaragoza and Centro Universitario de la Defensa UZCUD2016-TEC-06.Project TEC2015-69665-R (MINECO/FEDER, UE)
Security assessment of the Spanish contactless identity card
The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies Recently, the Spanish identity card, which provides enough information to hire online products such as mortgages or loans, was updated to incorporate a near-field communication chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the radio-frequency identification communication to virtually steal personal information. In this study, the authors consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, they evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defences against online brute-force attacks were incorporated. They then suggest two countermeasures to protect against these attacks. Furthermore, they also analysed the pseudo-random number generator within the card, which passed all the performed tests with good results
Ataques de retransmisiĂłn inteligente en protocolos de pago NFC
La inclusioÌn de nuevas medidas de seguridad en las tarjetas de pago a creÌdito o a deÌbito ha mejorado notablemente la seguridad con la que se realizan estas transacciones. De realizar operaciones usando la banda magneÌtica de las tarjetas (siendo una tecnologıÌa muy insegura) se pasoÌ a usar un chip electroÌnico, con las llamadas tarjetas EMV o tarjetas chip-and-PIN (tecnologıÌa algo maÌs segura). Estas tarjetas implementan el protocolo EMV (de donde toman su nombre), que permite autorizar las transacciones realizadas con la tarjeta mediante la introduccioÌn de un coÌdigo numeÌrico personal (PIN) por parte del titular de la tarjeta. Dichas tarjetas EMV han sido recientemente actualizadas con la adicioÌn de un chip que permite la comunicacioÌn inalaÌmbrica. Estas nuevas tarjetas, denominadas tarjetas contactless, permiten realizar pagos aproximando uÌnicamente la tarjeta al punto de venta, es decir, sin necesidad de insertarlas en un lector de chip. AdemaÌs, si la cuantıÌa del pago no supera cierto lıÌmite se elimina la obligatoriedad de autorizar la transaccioÌn mediante un PIN. La comunicacioÌn inalaÌmbrica de las tarjetas contactless se basa en el protocolo de comunicacioÌn en el campo cercano o Near Field Communication (NFC), que usa la banda de alta frecuencia de Radio Frequency IDentification (RFID). Debido a que NFC no introduce seguridad ni cifrado en la realizacioÌn de las comunicaciones, la adopcioÌn de esta tecnologıÌa en las tarjetas permite investigar nuevas formas de atacar a las transacciones realizadas. Por ejemplo, pueden realizarse ataques eavesdropping realizando escuchas en las perturbaciones del campo electromagneÌtico, asÄ±Ì como ataques man-in-the-middle permitiendo la insercioÌn, manipulacioÌn o corrupcioÌn de los datos. Este proyecto se centra en los riesgos introducidos relativos a los ataques de retransmisioÌn, permitiendo realizar una comunicacioÌn entre una tarjeta de creÌdito o deÌbito y un punto de venta malicioso separados por una distancia arbitrariamente grande. Paralelamente a la realizacioÌn de estos experimentos, se detallan las mejoras introducidas a la aplicacioÌn Android NFCLeech. Esta aplicacioÌn es un prototipo inicialmente desarrollado en 2014 para probar los ataques de retransmisioÌn y que ahora permite realizar las pruebas de concepto relativas a los ataques de retransmisioÌn extendidos en este trabajo, asÄ±Ì como una mejor depuracioÌn de la retransmisioÌn de los mensajes y el protocolo utilizado para realizar los pagos
Does the online card payment system unwittingly facilitate fraud?
PhD ThesisThe research work in this PhD thesis presents an extensive investigation into the security settings of
Card Not Present (CNP) financial transactions. These are the transactions which include payments
performed with a card over the Internet on the websites, and over the phone. Our detailed analysis on
hundreds of websites and on multiple CNP payment protocols justifies that the current security
architecture of CNP payment system is not adequate enough to protect itself from fraud.
Unintentionally, the payment system itself will allow an adversary to learn and exploit almost all of
the security features put in place to protect the CNP payment system from fraud. With insecure modes
of accepting payments, the online payment system paves the way for cybercriminals to abuse even the
latest designed payment protocols like 3D Secure 2.0.
We follow a structured analysis methodology which identifies vulnerabilities in the CNP payment
protocols and demonstrates the impact of these vulnerabilities on the overall payment system. The
analysis methodology comprises of UML diagrams and reference tables which describe the CNP
payment protocol sequences, software tools which implements the protocol and practical
demonstrations of the research results. Detailed referencing of the online payment specifications
provides a documented link between the exploitable vulnerabilities observed in real implementations
and the source of the vulnerability in the payment specifications.
We use practical demonstrations to show that these vulnerabilities can be exploited in the real-world
with ease. This presents a stronger impact message when presenting our research results to a nontechnical audience. This has helped to raise awareness of security issues relating to payment cards,
with our work appearing in the media, radio and T
Security of Ubiquitous Computing Systems
The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license
Security of Ubiquitous Computing Systems
The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license
Knowledge and Management Models for Sustainable Growth
In the last years sustainability has become a topic of global concern and a key issue in the strategic agenda of both business organizations and public authorities and organisations.
Significant changes in business landscape, the emergence of new technology, including social media, the pressure of new social concerns, have called into question established conceptualizations of competitiveness, wealth creation and growth.
New and unaddressed set of issues regarding how private and public organisations manage and invest their resources to create sustainable value have brought to light. In particular the increasing focus on environmental and social themes has suggested new dimensions to be taken into account in the value creation dynamics, both at organisations and communities level.
For companies the need of integrating corporate social and environmental responsibility issues into strategy and daily business operations, pose profound challenges, which, in turn, involve numerous processes and complex decisions influenced by many stakeholders. Facing these challenges calls for the creation, use and exploitation of new knowledge as well as the development of proper management models, approaches and tools aimed to contribute to the development and realization of environmentally and socially sustainable business strategies and practices