Potential misuse of NFC enabled mobile phones with embedded security elements as contactless attack platforms

Lishoy Francis; Gerhard Hancke; Keith Mayes; Konstantinos Markantonakis

doi:10.1109/icitst.2009.5402513

Potential misuse of NFC enabled mobile phones with embedded security elements as contactless attack platforms

Lishoy Francis, Gerhard Hancke, Keith Mayes, Konstantinos Markantonakis

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

33 Citations (Scopus)

Abstract

In this paper we investigate the possibility that a Near Field Communication (NFC) enabled mobile phone, with an embedded Secure Element (SE), could be used as a mobile token cloning and skimming platform. We show how an attacker could use a NFC mobile phone as such an attack platform by exploiting the existing security controls of the embedded SE and the available contactless APIs. To illustrate the feasibility of these actions we also show how to practically skim and emulate certain tokens typically used in payment and access control applications with a NFC mobile phone. Although such attacks can also be implemented on other contactless platforms, such as custom-built card emulators and modified readers, the NFC-enabled mobile phone has a legitimate form factor, which would be accepted by merchants and arouse less suspicion in public. Finally, we propose several security countermeasures for NFC phones that could prevent such misuse. Copyright © 2009 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved.

Original language	English
Title of host publication	International Conference for Internet Technology and Secured Transactions, ICITST 2009
DOIs	https://doi.org/10.1109/icitst.2009.5402513
Publication status	Published - 2009
Externally published	Yes
Event	International Conference for Internet Technology and Secured Transactions, ICITST 2009 - London, United Kingdom Duration: 9 Nov 2009 → 12 Nov 2009

Conference

Conference	International Conference for Internet Technology and Secured Transactions, ICITST 2009
Place	United Kingdom
City	London
Period	9/11/09 → 12/11/09

Access Output

10.1109/icitst.2009.5402513

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@inproceedings{9c0292b6807449c78fb2041e7773e959,

title = "Potential misuse of NFC enabled mobile phones with embedded security elements as contactless attack platforms",

abstract = "In this paper we investigate the possibility that a Near Field Communication (NFC) enabled mobile phone, with an embedded Secure Element (SE), could be used as a mobile token cloning and skimming platform. We show how an attacker could use a NFC mobile phone as such an attack platform by exploiting the existing security controls of the embedded SE and the available contactless APIs. To illustrate the feasibility of these actions we also show how to practically skim and emulate certain tokens typically used in payment and access control applications with a NFC mobile phone. Although such attacks can also be implemented on other contactless platforms, such as custom-built card emulators and modified readers, the NFC-enabled mobile phone has a legitimate form factor, which would be accepted by merchants and arouse less suspicion in public. Finally, we propose several security countermeasures for NFC phones that could prevent such misuse. Copyright {\textcopyright} 2009 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved.",

author = "Lishoy Francis and Gerhard Hancke and Keith Mayes and Konstantinos Markantonakis",

year = "2009",

doi = "10.1109/icitst.2009.5402513",

language = "English",

isbn = "9781424456482",

booktitle = "International Conference for Internet Technology and Secured Transactions, ICITST 2009",

note = "International Conference for Internet Technology and Secured Transactions, ICITST 2009 ; Conference date: 09-11-2009 Through 12-11-2009",

}

Francis, L, Hancke, G, Mayes, K & Markantonakis, K 2009, Potential misuse of NFC enabled mobile phones with embedded security elements as contactless attack platforms. in International Conference for Internet Technology and Secured Transactions, ICITST 2009., 5402513, International Conference for Internet Technology and Secured Transactions, ICITST 2009, London, United Kingdom, 9/11/09. https://doi.org/10.1109/icitst.2009.5402513

Potential misuse of NFC enabled mobile phones with embedded security elements as contactless attack platforms. / Francis, Lishoy; Hancke, Gerhard; Mayes, Keith et al.
International Conference for Internet Technology and Secured Transactions, ICITST 2009. 2009. 5402513.

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Potential misuse of NFC enabled mobile phones with embedded security elements as contactless attack platforms

AU - Francis, Lishoy

AU - Hancke, Gerhard

AU - Mayes, Keith

AU - Markantonakis, Konstantinos

PY - 2009

Y1 - 2009

N2 - In this paper we investigate the possibility that a Near Field Communication (NFC) enabled mobile phone, with an embedded Secure Element (SE), could be used as a mobile token cloning and skimming platform. We show how an attacker could use a NFC mobile phone as such an attack platform by exploiting the existing security controls of the embedded SE and the available contactless APIs. To illustrate the feasibility of these actions we also show how to practically skim and emulate certain tokens typically used in payment and access control applications with a NFC mobile phone. Although such attacks can also be implemented on other contactless platforms, such as custom-built card emulators and modified readers, the NFC-enabled mobile phone has a legitimate form factor, which would be accepted by merchants and arouse less suspicion in public. Finally, we propose several security countermeasures for NFC phones that could prevent such misuse. Copyright © 2009 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved.

AB - In this paper we investigate the possibility that a Near Field Communication (NFC) enabled mobile phone, with an embedded Secure Element (SE), could be used as a mobile token cloning and skimming platform. We show how an attacker could use a NFC mobile phone as such an attack platform by exploiting the existing security controls of the embedded SE and the available contactless APIs. To illustrate the feasibility of these actions we also show how to practically skim and emulate certain tokens typically used in payment and access control applications with a NFC mobile phone. Although such attacks can also be implemented on other contactless platforms, such as custom-built card emulators and modified readers, the NFC-enabled mobile phone has a legitimate form factor, which would be accepted by merchants and arouse less suspicion in public. Finally, we propose several security countermeasures for NFC phones that could prevent such misuse. Copyright © 2009 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved.

UR - http://www.scopus.com/inward/record.url?scp=77950332270&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-77950332270&origin=recordpage

U2 - 10.1109/icitst.2009.5402513

DO - 10.1109/icitst.2009.5402513

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9781424456482

BT - International Conference for Internet Technology and Secured Transactions, ICITST 2009

T2 - International Conference for Internet Technology and Secured Transactions, ICITST 2009

Y2 - 9 November 2009 through 12 November 2009

ER -

Potential misuse of NFC enabled mobile phones with embedded security elements as contactless attack platforms

Abstract

Conference

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this