Mobile Devices and Security of Token-Present Payments


Student thesis: Doctoral Thesis

View graph of relations


Related Research Unit(s)


Awarding Institution
Award date25 Aug 2022


Cashless payments are widely used to pay for goods and services in person. In most cases, people use a secure token issued by the payment system to facilitate the payment. The token is generally a smart card or a mobile phone running the payment application and this token is presented to the merchant. Making payment often also includes further authentication and security assumptions, like the user entering a Personal Identification Number (PIN) and the system using short-range communication to demonstrate that the token is physically present. At the same time, there is a significant growth in the ubiquity of smart devices in general. People are often equipped with various smart devices during everyday activities. This phenomenon raises questions related to how these devices could impact on the security of payment systems and user authentication, both from the perspective of attacking payment systems and leveraging such devices as more secure tokens. In this thesis, I investigate some of the security issues of token-present payment transactions in the context of the prevalence of personal smart devices.

A PIN is one of the most common user authentication methods in token-present payments. For example, using Chip-and-Pin cards or using an ATM requires the user to enter a PIN into a PIN Entry Device (PED). This authentication process may suffer from attacks. When a victim start entering PIN on an ATM keyboard using his hand with smart wearable, the device begin to record acoustic and movement data. These data can be used to guess the victim's keystrokes. In this thesis, we demonstrate that it is possible for an attacker to recover a short random number entered on PEDs using a microphone, accelerometer and gyroscope of a mobile phone and smart watch equipped by the user. The acoustic data of keystrokes were used to segment the movement data. Next we extracted the movement features from acceleration and angular velocity and use the fusion of these two kinds of features to train a Neural Network classifier. This classifier has 75% probability to predict a single digit keystroke and 53% for 6-digit PIN in 3 predictions.

Mobile devices can be used as payment tokens, with mobile phones and smart watches having contactless payment functions. When the payment information was exchanged between phone and wearable via wireless connection, the communication was possible to be intercepted. In this thesis, I present a method for setting up a secure channel between do devices using common sensor observations. This allows for establishing a symmetric session key and offers relay resistance as the devices need to observe the same environment and therefore be in close proximity. I investigate the feasibility of symmetric key generation on mobile phone and smart wearable device using angular velocity data collected by gyroscopes as data source. I successfully generated the same random number for mobile phone and smart wearable in 78% samples.

Tokens used for in person payment are increasingly using Radio Frequency Identification (RFID) technology in the form of contactless smarts cards and NFC-enabled mobile phones. RFID tokens are vulnerable to relay attacks, whereby an attacker can make a token appear to be present by forwarding messages between the reader and a remote token. Distance-bounding protocol could mitigate this attack but how to implement these in existing systems is still an open question. In this thesis, we built a testing platform supporting the three most popular standards (ISO14443A, ISO14443B and ISO18092). We use the platform to demonstrate first relay attack on Felica cards and then use the testing platform to evaluate the standards with regards to implementing relay-resistant channels.

In this thesis, I presented 3 research outputs. First, I used a combination of data collected by from microphone, accelerometer and gyroscope to infer the keystrokes on PEDs. It was the first time that a fusion of different kinds of features were used in key inference attack. Additionally, it was the first time that gyroscope was used to guess keystrokes. This work can reveal the threat of PIN leakage from the sensors in mobile devices, as well as provide a new approach of using fusion of sensors to infer keystrokes. Second, I proposed a method to derive symmetric keys for mobile phone and smart wearable using the data from gyroscope. It was the first time that gyroscope was used in key derivation. My work can indicate the researchers that there is a new option of using gyroscope to derive symmetric keys for mobile devices. Third, I introduced the NFC testing platform and a relay attack on Felica card using this platform. It was the first relay attack launched on Felica card. I revealed the security threat of the relay attack on a widely used NFC systems, and demonstrated a possible testing platform that can be used to evaluate the attack and defense of NFC relay attack.