DoSing NFC prepaid cards: The Mailman Attack

It's time to live up to the blog name - it should not be only about Android after all. Let's talk Near Field Communication (NFC) and payments. NFC is a relatively simple concept. You have a card with a circular wiring, which induces an electric current if it's put in the appropriate magnetic field. This field is created by a reader and the current provides the energy for a Javacard-like microchip.

When it comes to payments, Chip & PIN is a main way to go in Europe. There was a big shift recently - some of the debit (and credit) cards gained NFC communication and with it came a "Chip sans PIN" model for small transactions. This model was also present previously, but used mainly in the parking meters. However, now it has become more and more prevalent and people suddenly became aware that they money might be stolen. Well, it does not really matter that much, the truth is that if the card companies (or banks) can swallow the expenses it is all good. Here I will try to describe two possible attacks on the NFC cards, which are not so obvious. Mind you, this is based on my actual (like in "I have an NFC reader and a stack of NFC payment cards") research, your experience may vary. Mostly because the payments cards aren't a monolithic standard - there are different types of even of Visas and MasterCards, different banks save different information to the chip and so on.

The Mailman Attack, or DoS attack on the prepaid card

First attack is the attack that can be performed by mailman or someone who has a prolonged access (an hour, maybe slightly more) to our mail. Cards usually come via snail mail. Some of the cards need activation before the NFC capabilities are turned on, but others don't. The notorious group that favors the latter approach is the prepaid cards. This results in the simple, yet effective way of rendering the card unusable.

With prepaid cards you usually can't just withdraw money from the ATM. You have to pay for it. So if I would make the card look usable (i.e. no visible marks), but make it unusable, I would make sure that you will have hard time getting back your money. Or even getting back the money you have paid for your card.

In order to prevent the replay attacks, there is an Unpredictable Number (UN for short) generated for  every transaction. This number is sent then, by the payment terminal, to the bank, where the bank checks the UN signature. And in order to prevent the pre-play attack, there is a transaction counter (called ATC) implemented. This transaction counter is only 2 bytes - one card can perform up to the 65535 (or so) transactions. After that number it is blocked for ever. The UN is a unsigned 4-byte integer. So you cannot just enumerate all of the UNs and then replay the correct answer to the terminal.

However, transaction counter is incremented when the transaction starts - no matter what the end result will be. So you just have to send "I want to perform transaction" (issue the GET PROCESSING OPTIONS command) and then quit 65535 times. And you effectively block the card for ever. And all of this can be performed wirelessly, without even opening the envelope in which the card is packed (in something like 100 minutes, but it can be performed faster with a dedicated equipment) - hence, The Mailman Attack. And this is how you DoS a credit card.

The "I know you, therefore I'm your bank" attack

Second attack can be performed in the public transport or anywhere when you can come close to the unsuspecting people. Some debit cards, especially Visa, have a very bad habit of leaking too much information trough NFC. MasterCard is somehow more modest in the information it gives - e.g. it does not give the first or last name of the owner. Essentially, the NFC part and the contact parts should be always separated.

Each card has a transaction log. It's basically what you expect - a log of transactions. It's kept on a card in order to determine when you have reached your offline payments limit and the card has to enforce transaction to be performed online. This is done so that you don't have an excessive overdraft on your account. You are allowed to spend a small amount of money without the authorization of your bank. It's faster that way and we know how credit card companies love speed - it gives you less time to think about your purchase. Card just logs all of the transactions and at some point decided that you have spent too much (or made too many offline transactions) and decides to go online. It's then free to clear this log.

But implementing a rolling log of transactions is hard. Well, not hard, just... not worth doing it the proper way. So one of the card companies decided to log all of the transactions - online, offline, contactless, contactfull. And this log is readable via a wireless interface. So now I have a date, amount, currency and, in some rare cases, location of your transaction. Well, this gives me a lot of information - I now if you're rich and if I can mug you in a dark alley.

Next up is first and last name. While MasterCard specification mentions that it is forbidden to share that data via NFC, the other big card company does not have any problems with it. Last piece of the information is of course the card maker, bank name and card number. Well, bank name and card maker are actually encoded in the card number, so that even does not have to be transmitted - card number is enough. Of course the expiration date is also send via NFC.

OK, now that we know what we know we just have to use our charm. Come up to a boy or a girl, bump him (now you have read all of the credit card information) say you're sorry, chat him/her up and get the phone number. Or look it up on some social media site. Anyhow, call your victim and say something like:

- Good morning, I'm calling from <bank_name>. May I speak with <name>, please?
- Are you the owner of the <credit_card_company> card with the number that ends in <last_four_digits>?
- Did you make a transaction on <date> for <amount_of_money>?

Of course, he/she did. We know it.

- Our fraud detection system (patent pending) has flagged this transaction. In order to process it you have to provide us with the three number code at the back of your card. Can you please read it?

And... scene.

Summary

Despite all of the drawbacks, I still use NFC cards. Not that I have a choice of course, but if I had a choice I would still stick with them. They are easy to use, the attacks described above are somewhat impractical and - at least for now - too expensive to pull off. There are arguably easier ways to scam you out of your money. But sometimes it really shouldn't be about the cost of the scam, but about the finesse.

Comments

Post a Comment

Popular posts from this blog

Having fun with AndroidManifest.xml

Image
Before w will get back to Sandrorat let's have some fun. It's weekend after all, or rather it was weekend when I wrote this post. Everyone that ever tried to see the insides of the APK file knows what's an AndroidManifest.xml file is. Some even know that, inside the APK, it's not a real XML, but rather a compressed, binary form of an original XML. This compressed form was first abused in the Android.OBAD malware . Compressed form of an XML differs with the real XML in at least one key aspect, hidden in the String Pool. Let's have a look at a compressed AndroidManifest.xml file of the previously mentioned Sandrorat sample and see if we can do something interesting with it. If you want to skip directly to the fun part, just ignore the next section.
Read more

Android malware based on SMS encryption and with KitKat support

Image
Most of the malware based on the SMS C&C communication channel is not compatible with Android 4.4 KitKat. This is due to the fact that KitKat introduced a concept of one messaging app, which all other apps had to go trough before they send or handle a received text message. This prevented malware from hiding received short messages or sending without saving them in the "Sent" folder. Well, it wasn't hard to predict that this state of affairs wouldn't last long and that malware authors would eventually catch up. Malware described here not only supports KitKat, but also uses an open-source SMS encryption tool  as a basis for its code. Let's have a look at the insides of the new sample (hash: 84e2e9e8430792b583d02d3cc1bf8535 ) and let's call it SmsSecure, just for the sake of brevity.
Read more

Sandroid RAT analysis: Part I - synthetic communication

Image
My first post is about Sandrorat, a fairly new RAT tool that was prominent for being a part of a Polish spam campaign . The analyzed sample hash is bed05d8eace6a7ebc5dec7141ea4b9cc559f1b2aab8848e2c79df7a79de39b9d . Sample was obtained thanks to The Honeynet Project . Everything is synthetic First part will be about a little known synthetic methods and the way Sandrorat uses them to obfuscate the code . This sample declared three different services:
Read more