On the Security of the EMV Authentication Methods of Contactless Cards.

The Europay, MasterCard, and Visa (EMV) is the global standard for a chip-based card transaction. EMV payment specifications support a variety of payment methods such as chip & PIN, chip & signature, contactless, and mobile payment transactions. This paper is mainly concerned with the security analysis and evaluation of the EMV card authentication methods of contactless cards as well as investigating their vulnerabilities to sniffing and replay attacks. It provides a detailed evaluation of the three EMV card authentication methods: Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combine Data Authentication (CDA). To demonstrate that, the paper presents a Java framework to simulate all the stages of an EMV contactless transaction under the three authentication methods. It also simulates the two attacks using Java contactless cards including a counterfeit card to show the feasibility of the replay attack. Our security analysis reveals that the authentication methods have a different level of robustness against the attacks. The paper shows that SDA has the lowest level of security with vulnerabilities to both attacks. The paper also demonstrates that although DDA and CDA are perceived to be secure, they are both vulnerable to sniffing attacks that can be easily launched to steal credit/debit card details. We argue that the card authentication methods share a fundamental flaw related to the trust model between the point of sale and the contactless card. While the Point of Sale (POS) enforces strict rules to ensure the authenticity of the card, the contactless cards release sensitive information to anyone with a card reader without any checks whatsoever. [ABSTRACT FROM AUTHOR]