Article

Picking up my tab: understanding and mitigating synchronized token lifting and spending in mobile payment

Authors:

Shi-Min Hu, and

Kehuan ZhangAuthors Info & Claims

SEC'17: Proceedings of the 26th USENIX Conference on Security Symposium

August 2017

Pages 593 - 608

Published: 16 August 2017 Publication History

Abstract

Mobile off-line payment enables purchase over the counter even in the absence of reliable network connections. Popular solutions proposed by leading payment service providers (e.g., Google, Amazon, Samsung, Apple) rely on direct communication between the payer's device and the POS system, through Near-Field Communication (NFC), Magnetic Secure Transaction (MST), audio and QR code. Although pre-cautions have been taken to protect the payment transactions through these channels, their security implications are less understood, particularly in the presence of unique threats to this new e-commerce service.

In the paper, we report a new type of over-the-counter payment frauds on mobile off-line payment, which exploit the designs of existing schemes that apparently fail to consider the adversary capable of actively affecting the payment process. Our attack, called Synchronized Token Lifting and Spending (STLS), demonstrates that an active attacker can sniff the payment token, halt the ongoing transaction through various means and transmit the token quickly to a colluder to spend it in a different transaction while the token is still valid. Our research shows that such STLS attacks pose a realistic threat to popular offline payment schemes, particularly those meant to be backwardly compatible, like Samsung Pay and AliPay.

To mitigate the newly discovered threats, we propose a new solution called POSAUTH. One fundamental cause of the STLS risk is the nature of the communication channels used by the vulnerable mobile off-line payment schemes, which are easy to sniff and jam, and more importantly, unable to support a secure mutual challenge-response protocols since information can only be transmitted in one-way. POSAUTH addresses this issue by incorporating one unique ID of the current POS terminal into the generation of payment tokens by requiring a quick scanning of QR code printed on the POS terminal. When combined with a short valid period, POSAUTH can ensure that tokens generated for one transaction can only be used in that transaction.

References

[1]

Supporting materials: Stls in mobile payment. https://sites.google.com/site/stlsinmobilepayment/. [Online; accessed 14-Feb-2017].

[2]

21, A. Ansi/iso alpha and bcd data format. http://www.abacus21.com/Magnetic-Strip-Encoding-1586.html. [Online; accessed 19-Jan-2017].

[3]

ALVADOR MENDOZA. Samsung Pay: Tokenized Numbers, Flaws and Issues. Tech. rep., 2016.

[4]

APPLIDIUM. Audio modem: data over sound. https://applidium.com/en/news/data_transfer_through_sound/, 2013. [Online; accessed 19-Jan-2017].

[5]

BRIDG. Bridg. https://www.bridgtheapp.com. [Online; accessed 19-Jan-2017].

[6]

CHOI, D., AND LEE, Y. Eavesdropping one-time tokens over magnetic secure transmission in samsung pay. In Proceedings of the 10th USENIX Conference on Offensive Technologies (2016), USENIX Association, pp. 52-58.

[7]

DE, P., DEY, K., MANKAR, V., AND MUKHERJEA, S. An assessment of qr code as a user interface enabler for mobile payment apps on smartphones. In Proceedings of the 7th International Conference on HCI, IndiaHCI 2015 (2015), ACM, pp. 81-84.

[8]

DRIMER, S., MURDOCH, S. J., ET AL. Keep your enemies close: Distance bounding against smartcard relay attacks. In USENIX Security (2007), vol. 2007, pp. 87-102.

[9]

EMMS, M., AND VAN MOORSEL, A. Practical attack on contactless payment cards. In HCI2011 Workshop-Heath, Wealth and Identity Theft (2011).

[10]

FUJIAN NEWLAND AUTO-ID TECH. CO., L. Nls-fr40. http://www.newlandaidc.com/h-pd-j-70-3_10.html. [Online; accessed 19-Jan-2017].

[11]

GAO, J., KULKARNI, V., RANAVAT, H., CHANG, L., AND MEI, H. A 2d barcode-based mobile payment system. In Multimedia and Ubiquitous Engineering, 2009. MUE'09. Third International Conference on (2009), IEEE, pp. 320-329.

[12]

GAO, J. Z., CAI, J., LI, M., AND VENKATESHI, S. M. Wireless payment-opportunities, challenges, and solutions. Published by High Technology Letters 12 (2006).

[13]

GARG, G. Qr code payment introduction. http://scanova.io/blog/blog/2015/04/08/qr-code-payment/. [Online; accessed 19-Jan-2017].

[14]

GOOGLE. Fileobserver. https://developer.android.com/reference/android/os/FileObserver.html.

[15]

GOOGLE. Flag secure. https://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_SECURE. [Online; accessed 19-Jan-2017].

[16]

GOOGLE. Google tone. https://chrome.google.com/webstore/detail/google-tone/nnckehldicaciogcbchegobnafnjkcne?hl=en. [Online; accessed 19-Jan-2017].

[17]

GOOGLE. System alert window. https://developer.android.com/reference/android/Manifest.permission.html#SYSTEM_ALERT_WINDOW. [Online; accessed 19-Jan-2017].

[18]

HALEVI, T., MA, D., SAXENA, N., AND XIANG, T. Secure proximity detection for nfc devices based on ambient sensor data. In European Symposium on Research in Computer Security (2012), Springer, pp. 379-396.

[19]

HUH, J. H., VERMA, S., RAYALA, S. S. V., BOBBA, R., BEZNOSOV, K., AND KIM, H. I don't use apple pay because it's less secure...: Perception of security and usability in mobile tap-and-pay.

[20]

INC, L. System and method for a base-band nearfield magnetic stripe data transmitter. http://www.google.com/patents/US8814046, 2014. [Online; accessed 19-Jan-2017].

[21]

INTELLIGENCE, B. mpos us installation base. http://www.businessinsider.com/square-makes-another-play-at-retailers-2017-2. [Online; accessed 16-Feb- 2017].

[22]

KALEBKE. Gyroscopeexplorer. https://github.com/KalebKE/GyroscopeExplorer. [Online; accessed 19-Jan- 2017].

[23]

KHARRAZ, A., KIRDA, E., ROBERTSON, W., BALZAROTTI, D., AND FRANCILLON, A. Optical delusions: A study of malicious qr codes in the wild. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on (2014), IEEE, pp. 192-203.

[24]

KIESEBERG, P., LEITHNER, M., MULAZZANI, M., MUNROE, L., SCHRITTWIESER, S., SINHA, M., AND WEIPPL, E. Qr code security. In Proceedings of the 8th International Conference on Advances in Mobile Computing and Multimedia (2010), ACM, pp. 430-435.

[25]

KOVACS, E. Samsung has one day token lifetime. http://www.securityweek.com/samsung-pay-token-flaw-allows-fraudulent-transactions. [Online; accessed 16-Feb-2017].

[26]

KROMBHOLZ, K., FRÜHWIRT, P., KIESEBERG, P., KAPSALIS, I., HUBER, M., AND WEIPPL, E. Qr code security: A survey of attacks and challenges for usable security. In International Conference on Human Aspects of Information Security, Privacy, and Trust (2014), Springer, pp. 79-90.

[27]

L., K. Hidden risks with 2d qr code payment. https://www.linkedin.com/pulse/20140907174521-104874410-hidden-risks-with-2d-qr-code-payment. [Online; accessed 12-Feb-2017].

[28]

LEE, J., CHO, C.-H., AND JUN, M.-S. Secure quick response-payment (qr-pay) system using mobile device. In Advanced Communication Technology (ICACT), 2011 13th International Conference on (2011), IEEE, pp. 1424-1427.

[29]

LEE, Y. S., KIM, N. H., LIM, H., JO, H., AND LEE, H. J. Online banking authentication system using mobile-otp with qr-code. In Computer Sciences and Convergence Information Technology (ICCIT), 2010 5th International Conference on (2010), IEEE, pp. 644-648.

[30]

LIAO, K.-C., AND LEE, W.-H. A novel user authentication scheme based on qr-code. JOURNAL OF NETWORKS 5, 8 (2010), 937.

[31]

LIÉBANA-CABANILLAS, F., RAMOS DE LUNA, I., AND MONTORO-RÍOS, F. J. User behaviour in qr mobile payment system: the qr payment acceptance model. Technology Analysis & Strategic Management 27, 9 (2015), 1031-1049.

[32]

LINCK, K., POUSTTCHI, K., AND WIEDEMANN, D. G. Security issues in mobile payment from the customer viewpoint.

[33]

LOOPPAY. Looppay faq. https://www.looppay.com/faqs/. [Online; accessed 19-Jan-2017].

[34]

LTD, A. Chirp. http://chirp.io, 2013. [Online; accessed 19-Jan-2017].

[35]

LTD, O. W. R. Spectrumview. http://www.oxfordwaveresearch.com/products/spectrumviewapp/. [Online; accessed 19-Jan-2017].

[36]

MA, T., ZHANG, H., QIAN, J., HU, X., AND TIAN, Y. The design and implementation of an innovative mobile payment system based on qr bar code. In Network and Information Systems for Computers (ICNISC), 2015 International Conference on (2015), IEEE, pp. 435-440.

[37]

MARKANTONAKIS, K., FRANCIS, L., HANCKE, G., AND MAYES, K. Practical relay attack on contactless transactions by using nfc mobile phones. Radio Frequency Identification System Security: RFIDsec 12 (2012), 21.

[38]

MEHRNEZHAD, M., HAO, F., AND SHAHANDASHTI, S. F. Taptap and pay (ttp): preventing the mafia attack in nfc payment. In International Conference on Research in Security Standardisation (2015), Springer, pp. 21-39.

[39]

NSEIR, S., HIRZALLAH, N., AND AQEL, M. A secure mobile payment system using qr code. In Computer Science and Information Technology (CSIT), 2013 5th International Conference on (2013), IEEE, pp. 111-114.

[40]

ONDRUS, J., AND PIGNEUR, Y. An assessment of nfc for future mobile payment systems. In Management of Mobile Business, 2007. ICMB 2007. International Conference on the (2007), IEEE, pp. 43-43.

[41]

PASQUET, M., REYNAUD, J., ROSENBERGER, C., ET AL. "payment with mobile nfc phones" how to analyze the security problems. In 2008 International Symposium on Collaborative Technologies and Systems.(see section 2) (2008).

[42]

RAMPTON, J. The evolution of the mobile payment. https://techcrunch.com/2016/06/17/the-evolution-of-the-mobile-payment/. [Online; accessed 16-Feb-2017].

[43]

SAMSUNG. Samsung pay faq. http://security.samsungmobile.com/doc/Press_Guidance_Samsung_Pay.pdf. [Online; accessed 19-Jan-2017].

[44]

SAMSUNG. Samsung's looppay: What it is, and why you should care. https://www.cnet.com/news/samsungs-looppay-what-it-is-and-why-you-should-care/.

[45]

SCHIERZ, P. G., SCHILKE, O., AND WIRTZ, B. W. Understanding consumer acceptance of mobile payment services: An empirical analysis. Electronic commerce research and applications 9, 3 (2010), 209-216.

[46]

SHARMA, V. A study of malicious qr codes. International Journal of Computational Intelligence and Information Security 3, 5 (2012), 21-26.

[47]

SHRESTHA, B., SAXENA, N., TRUONG, H. T. T., AND ASOKAN, N. Drone to the rescue: Relay-resilient authentication using ambient multi-sensing. In International Conference on Financial Cryptography and Data Security (2014), Springer, pp. 349-364.

[48]

STARNBERGER, G., FROIHOFER, L., AND GÖSCHKA, K. M. Qr-tan: Secure mobile transaction authentication. In Availability, Reliability and Security, 2009. ARES'09. International Conference on (2009), IEEE, pp. 578-583.

[49]

STATISTA. Global mobile payment revenue 2015-2019. https://www.statista.com/statistics/226530/mobile-payment-transaction-volume-forecast/. [Online; accessed 19-Jan-2017].

[50]

TECHNOLOGIES, S. Symbol ds6708-dl product reference guide. https://www.zebra.com/content/dam/zebra_new_ia/en-us/manuals/barcode-scanners/ds6707-digital-imager-scanner-product-reference-guide-en-us.pdf. [Online; accessed 19-Jan-2017].

[51]

TONETAG. Tone tag. https://www.tonetag.com/about.html. [Online; accessed 19-Jan-2017].

[52]

VARSHNEY, U., AND VETTER, R. Mobile commerce: framework, applications and networking support. Mobile networks and Applications 7, 3 (2002), 185-198.

[53]

VIDAS, T., OWUSU, E., WANG, S., ZENG, C., CRANOR, L. F., AND CHRISTIN, N. Qrishing: The susceptibility of smartphone users to qr code phishing attacks. In International Conference on Financial Cryptography and Data Security (2013), Springer, pp. 52-69.

[54]

YAO, H., AND SHIN, D. Towards preventing qr code based attacks on android phone using security warnings. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (New York, NY, USA, 2013), ASIA CCS '13, ACM, pp. 341-346.

[55]

ZHOU, Y., AND JIANG, X. Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on (2012), IEEE, pp. 95-109.

Cited By

Zhou ASu GZhu SMa H(2019)Invisible QR Code Hijacking Using Smart LEDProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/33512843:3(1-23)Online publication date: 9-Sep-2019
https://dl.acm.org/doi/10.1145/3351284
Zhou ZTang DWang WWang XLi ZZhang K(2018)Beware of Your ScreenProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274721(77-88)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274721
Pan HChen YXue GYou CJi X(2018)Secure QR Code Scheme Using Nonlinearity of Spatial FrequencyProceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers10.1145/3267305.3267626(207-210)Online publication date: 8-Oct-2018
https://dl.acm.org/doi/10.1145/3267305.3267626
Show More Cited By

Index Terms

Picking up my tab: understanding and mitigating synchronized token lifting and spending in mobile payment
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

Picking Virtual Pockets using Relay Attacks on Contactless Smartcard
SECURECOMM '05: Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks

A contactless smartcard is a smartcard that can communicate with other devices without any physical connection, using Radio-Frequency Identifier (RFID) technology. Contactless smartcards are becoming increasingly popular, with applications like credit-...
Read More
My Samsung Galaxy Tab 4
Read More
My Samsung Galaxy Tab
Read More

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'17: Proceedings of the 26th USENIX Conference on Security Symposium

August 2017

1479 pages

ISBN:9781931971409

Editors:
Engin Kirda
Northeastern University
,
Thomas Ristenpart
Cornell Tech

Sponsors

Google Inc.
IBMR: IBM Research
NSF
Facebook: Facebook
CISCO

Publisher

USENIX Association

United States

Publication History

Published: 16 August 2017

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Zhou ASu GZhu SMa H(2019)Invisible QR Code Hijacking Using Smart LEDProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/33512843:3(1-23)Online publication date: 9-Sep-2019
https://dl.acm.org/doi/10.1145/3351284
Zhou ZTang DWang WWang XLi ZZhang K(2018)Beware of Your ScreenProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274721(77-88)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274721
Pan HChen YXue GYou CJi X(2018)Secure QR Code Scheme Using Nonlinearity of Spatial FrequencyProceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers10.1145/3267305.3267626(207-210)Online publication date: 8-Oct-2018
https://dl.acm.org/doi/10.1145/3267305.3267626
Haupert VMaier DMüller T(2017)Paying the Price for DisruptionProceedings of the 1st Reversing and Offensive-oriented Trends Symposium10.1145/3150376.3150383(1-10)Online publication date: 16-Nov-2017
https://dl.acm.org/doi/10.1145/3150376.3150383

View Options

View options

Media

Figures

Other

Tables

View Table of Contents