[IP] Contactless payments and the security challenges
Begin forwarded message:
From: "R.A. Hettinga" <rah@xxxxxxxxxxxxxx>
Date: September 18, 2005 11:09:07 AM EDT
To: cryptography@xxxxxxxxxxxx
Subject: [Clips] Contactless payments and the security challenges
--- begin forwarded text
Delivered-To: clips@xxxxxxxxxxxx
Date: Sun, 18 Sep 2005 10:39:58 -0400
To: Philodox Clips List <clips@xxxxxxxxxxxx>
From: "R.A. Hettinga" <rah@xxxxxxxxxxxxxx>
Subject: [Clips] Contactless payments and the security challenges
Reply-To: rah@xxxxxxxxxxxx
Sender: clips-bounces@xxxxxxxxxxxx
<http://www.nccmembership.co.uk/pooled/articles/BF_WEBART/view.asp?
Q=BF_WEBART_171100>
Principia
The Membership Organisation For IT Professionals
A division of the National Computing Centre
Contactless payments and the security challenges
David Birch reports on the latest developments in contactless payment
systems and reviews the associated security implications.
The announcement of schemes such as MasterCard's Paypass, American
Express
ExpressPay and Visa's contactless initiatives is a sign that
contactless
smart cards are moving out of mass transit (e.g. London's Oyster
card) and
into the mass market. Indeed, Datamonitor have forecast that the
market for
these 'payment tokens' will grow at 47 per cent per annum over the
next
five years [1]. The international payment schemes' interest is
obvious. At
a time when it's hard to explain to a consumer why a contact smart
card
(such as the 'chip and PIN' payment cards being deployed around the
world)
is better than a magnetic stripe card, payment tokens immediately
differentiate themselves by offering a completely different (and
significantly more convenient) consumer experience.
Why? Because the token needs only to be waved close to the
terminal. In
many cases, it will work fine while still in a bag or briefcase
providing
it is close enough to the terminal. The distance depends on the
type of
device used; the type of 'proximity interface' chip being discussed
in this
article will work up to a few centimetres from the terminals.
With advances in chip and antenna technology, payment tokens now have
almost identical functionality to contact smart cards, including high
strength cryptographic functions, and can even be in a 'dual
interface'
package sporting both contact and contactless interfaces. RFID
technology,
while new to consumer payments, has actually been out in the field
for some
time. Mass transit was one of the driving sectors. Operators in
Hong Kong,
London, Paris, Washington and Taipei, amongst others, already have
millions
of tokens in place using the same technology and many other cities are
planning similar schemes. Their switch to RFID based tokens has
three main
drivers:
* Lower lifetime cost of ownership - for commercial use, the
initial cost of RFID readers is already price comparable to motorised
contact readers. The elimination of all moving parts, however,
significantly improves reliability and operational reader life
reducing the
overall life cycle cost of ownership. The inherent vandal proof
properties
are also ideal for unattended vending or payments, delivering overall
improved system availability.
* Faster transaction times - for historical reasons, and
because of
their origin in the mass transit sector (which needs high
throughput at
gates), the interfaces to RFID chips are many times faster than the
interfaces to chip contact smart cards.
* Flexible form factors - as it operates remotely from the
reader,
the physical size and shape of the token is unimportant. Many
tokens come
in the traditional bank card form; others have been built into
consumer
goods like Swatch watches, pagers or key fobs.
So momentum is building, and even industry observers historically
bullish
about using tokens for payment (e.g. the author [2]) have been
surprised by
the speed of deployment. The reason might be that while the rational
reasons for choosing tokens for payments (e.g. speed, lifetime cost of
ownership) are good, the irrational reason is even better; they're
interesting, particularly because of the flexible form factor.
Of the various forms factors noted above, two token-carrying
devices seem
to stand out; the key fob and the mobile phone. Whether you are
waving your
keys at a petrol pump before you fill up your car or in Burger King
to pay
for your meal, using the bunch of keys you already have in your hand
instead of getting out your wallet makes this a clear proposition.
But we
all have our mobile phones with us all the time as well, and the phone
(unlike the keys) can be used to manage the payment account in various
ways, a synergy that is sure to be exploited.
Nokia have said that they think payment tag technology is better than
Bluetooth or Infra-red for mobile payments [3] and, in Japan, NTT
DoCoMo
and Sony have formed a joint venture (FeliCa Networks) to develop a
version
of the Sony FeliCa contactless chip for embedding into mobile
phones and to
operate the FeliCa platform for m-commerce [4]. For many consumers,
this
will be the ultimate in convenience because the phone provides the
communications link for managing the payment account as well as the
physical payment device. The dreams of the mobile payment community
will
come true, but not in the way that they thought.
Payment tokens
So how do payment tokens work to deliver the appropriate levels of
both
security and privacy? To answer this question, it's necessary to
understand
how they work. In the general case, the payment token comprises a
microprocessor with hardware support for cryptographic operation
and an RF
interface. There are various standards in this space, but the one most
widely used for payment tokens at present is ISO/IEC 14443.
In a typical retail environment the retailer's point-of-sale (POS)
terminal and the payment token both contain a microprocessor; the
microprocessors communicate using a payment protocol (on top of the
ISO
14443 protocol for basic data exchange).
When it is time to pay, the customer brings their tag close to the
POS
terminal. The terminal interrogates the card and gets back the serial
number and a cryptogram (a one-time code calculated inside the
token). It
feeds these to the acquiring bank, which passes them back to the
issuer.
From the serial number, the issuer knows which account to authorise
and
from the cryptogram the issuer knows that the token is valid.
The cryptogram is made up from the serial number and a transaction
counter, encrypted using the token security key. This key is
inserted in
the token during manufacturing; it is derived from the serial
number and a
bank master key. Once in the token, it is never divulged. This kind of
solution provides:
* Privacy, because the token ID is meaningless to anyone
other than
the issuing bank which can map that ID to an actual account or card
number;
* Security, because knowing the token ID is insufficient to
create
a cloned token. Also, a cloned token would not generate a correct
cryptogram because it would not have the right security key and if the
transaction is replayed the transaction counter will be wrong.
Please note that this is an example given for the purpose of
discussion;
it is not meant to represent any of the operational schemes
discussed in
this article. The security of this typical example scheme is not
absolute.
There is no cardholder verification (i.e. a signature or a PIN),
but all
transactions are authorised online, so a lost or stolen card can be
blocked
as soon as it is reported (although it has to be said that
consumers will
generally notice the loss or their keys or mobile phone pretty
quickly).
For this example scheme, it might be useful to add an online PIN
only for
transactions above £20 or so.
Next steps
RFID technology continues to evolve. Sony and Philips have been
working on
the next generation of standards in this field, known as near-field
communication (NFC). Using NFC, devices can operate in active or
passive
modes. In one case, where an active terminal communicates with a
passive
token, the situation is just as noted above for RFID. However, when an
active device communicates with another active device, they can
swap data
at a couple of hundred Kbits/s over distances of a few centimetres.
NFC is targeted at the mass consumer market; it will be built into
consumer devices of all kinds (e.g. video cameras, games consoles,
hi-fi
and so on) and will work without configuration or even consumer
awareness.
The idea is to make something that just connects when devices are
in close
proximity (or, to put it another way, the act of bringing devices
together
is taken to be the consumer statement of intent to interact). One
especially interesting way that NFC might be used is to trigger
communications over other wireless channels by taking care of
initial set
up and parameter exchange. You can imagine how useful this might be in
practice; put your DVD player next to your TV and they say hello to
each
other using NFC and then trigger a WiMax link to carry video from
the DVD
player to the TV. Goodbye cables and goodbye hassle; NFC seems to be a
genuine attempt to get rid of wires once and for all.
With the first trials of NFC devices expected later in the year,
Sony,
Nokia and Philips have now formed the NFC Forum to develop and
promote the
technology. Why Nokia? Well, one of the most interesting category of
devices capable of carrying an NFC chip (known as Personal Carrier
Devices,
or PCDs in the jargon) that could operate in passive or active (i.e.
requiring power) mode are mobile phones [5]. The introduction of
active NFC
in the handset accelerates the possibilities for new services well
beyond
the passive RFID payment token examples discussed above.
To see this, imagine that your mobile phone has an NFC interface.
When
your phone is switched off or the battery is dead, it functions as a
passive RFID carrier and can be used for all of the applications
commonly
discussed in this context; it could act as a door key, a membership
card
or, indeed, a standard payment token. When the phone is switched on
and the
NFC interface is powered, it can communicate with other passive RFID
tokens. So, you might use the phone to trigger WiFi access in a
café, or to
act as a merchant point-of-sale (POS) terminal to accept other
peoples'
payment tokens.
Given this trend, one of the most interesting medium term
developments in
the world of retail electronic payments will the combination of
RFID/NFC
technologies and the ubiquitous mobile phones [6]. The addition of the
token to the handset - whether as an integrated component as DoCoMo
and EDY
in Japan, or as a clip-on cover as in the Paypass trial in Dallas,
or as a
sticker that the consumer chooses to stick on to the phone as with
Dexit in
Canada - creates a new kind of 'active' (because it has a
communications
channel) payment device. The combination of the local RFID/NFC
wireless
interface with the GSM/GPRS/3G connectivity will undoubtedly
transform the
retail electronic payments landscape for everyone [7].
The author
David Birch is a director of Consult Hyperion, an IT management
consultancy that specialises in electronic transactions.
(ITadviser, Issue 38, July/August 2005)
References
1. Contactless Cards 'Meet Industry's Needs' in American Banker.
(24th Jan.
2003).
2. Birch, D. Contactless Cash in Reach. p. 72-73 (Spring 2003).
3. Why Nokia gives contactless the nod over Infrared and Bluetooth
in Card
Technology. p. 34-35 (Jan. 2004).
4. NTT DoCoMo and Sony Team Up on M-Commerce in Card Technology. 8
(14): p.
6-8 (Dec. 2003).
5. Birch, D. NFC and Mobile in proc. of Contactless Cards, SMi
(London:
Jun. 2004).
6. Birch, D. Chips That Chat in proc. of Wireless World, Digital World
Research Centre (University of Surrey: Jul. 2004).
7. Birch, D. Retail Electronic Payments Security: Trends and
Implications
for Mobile in proc. of Mobile Payments, Informa (Brussels: Mar. 2005).
Categories:
Special Feature, IT adviser, Business and IT
--
-----------------
R. A. Hettinga <mailto: rah@xxxxxxxx>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips@xxxxxxxxxxxx
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah@xxxxxxxx>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo@xxxxxxxxxxxx
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/