Browse by author
Lookup NU author(s): Maryam Mehrnezhad,
Professor Feng Hao,
Dr Siamak Fayyaz Shahandashti
Full text is not currently available for this publication.
The reader-and-ghost attack is a real concern in mobile NFC payment applications. A malicious reader relays the user's NFC-enabled mobile phone to a remote legitimate reader to charge for a higher amount than what the user expects to pay. Using an NFC shield cannot prevent the attack, since the user consciously instantiates the NFC payment, though without realizing that the reader is controlled by an attacker. Recent solutions generally involve using ambient sensors to measure the ambient properties of the surrounding environment to ensure that the NFC-enabled phone and the reader are at nearby locations. Unfortunately, all these solutions fail completely once the attacker's reader and the legitimate reader are located in the same or similar physical environment.In this paper, we propose the first and currently the only viable technical solution to defeat the reader-and-ghost attack even when the attacker' reader and the legitimate one are located in the same physical environment. Our solution is called "Tap-Tap and Pay" (TTP). It works by asking the user to physically tap the reader twice in succession to initiate an NFC payment. The physical tapping causes random but correlated vibrations at both devices, which are hard to forge (or reproduce) and can be reliably measured by accelerometers. Accordingly, we design the TTP protocol such that the NFC transaction will proceed only if the two vibration signals are found sufficiently similar. As compared with previous solutions, ours is fast, simple to use, easy to deploy, and above all, prevents attacks even if the attacker's reader and the legitimate one are located in the same environment.
Author(s): Mehrnezhad M, Hao F, Shahandashti SF
Publication type: Report
Publication status: Published
Series Title: School of Computing Science Technical Report Series
Print publication date: 01/07/2014
Report Number: 1428
Institution: School of Computing Science, University of Newcastle upon Tyne
Place Published: Newcastle upon Tyne