Toggle Main Menu Toggle Search

Open Access padlockePrints

Tap-Tap and Pay (TTP): Preventing Man-In-The-Middle Attacks in NFC Payment Using Mobile Sensors

Lookup NU author(s): Maryam Mehrnezhad, Professor Feng Hao, Dr Siamak Fayyaz Shahandashti


Full text is not currently available for this publication.


The reader-and-ghost attack is a real concern in mobile NFC payment applications. A malicious reader relays the user's NFC-enabled mobile phone to a remote legitimate reader to charge for a higher amount than what the user expects to pay. Using an NFC shield cannot prevent the attack, since the user consciously instantiates the NFC payment, though without realizing that the reader is controlled by an attacker. Recent solutions generally involve using ambient sensors to measure the ambient properties of the surrounding environment to ensure that the NFC-enabled phone and the reader are at nearby locations. Unfortunately, all these solutions fail completely once the attacker's reader and the legitimate reader are located in the same or similar physical environment.In this paper, we propose the first and currently the only viable technical solution to defeat the reader-and-ghost attack even when the attacker' reader and the legitimate one are located in the same physical environment. Our solution is called "Tap-Tap and Pay" (TTP). It works by asking the user to physically tap the reader twice in succession to initiate an NFC payment. The physical tapping causes random but correlated vibrations at both devices, which are hard to forge (or reproduce) and can be reliably measured by accelerometers. Accordingly, we design the TTP protocol such that the NFC transaction will proceed only if the two vibration signals are found sufficiently similar. As compared with previous solutions, ours is fast, simple to use, easy to deploy, and above all, prevents attacks even if the attacker's reader and the legitimate one are located in the same environment.

Publication metadata

Author(s): Mehrnezhad M, Hao F, Shahandashti SF

Publication type: Report

Publication status: Published

Series Title: School of Computing Science Technical Report Series

Year: 2014

Pages: 12

Print publication date: 01/07/2014

Report Number: 1428

Institution: School of Computing Science, University of Newcastle upon Tyne

Place Published: Newcastle upon Tyne