PURE: New security solution wards off digital pickpockets
Fraudsters, armed with just moderate technical skills and inexpensive technology, could use someone else’s payment card, mobile phone, or smartwatch to make contactless payments at a distant location without the victim’s consent. ETH Zurich researchers have developed a security solution that protects consumers against this threat.
In the last few years, contactless payments have soared in popularity as a convenient, fast, and hygienic way to complete purchases at physical stores. The COVID-19 pandemic has certainly contributed to speeding up the trend. According to estimates, about 7 trillion US dollars’ worth of transactions worldwide are handled every year with the “tap-and-go” method. That amount is projected to grow to 10 trillion US dollars by 2027. However, despite their advantages, contactless payments also pose security risks.
Beware the relay scam
Imagine you are commuting to work on a jam-packed train, and before you realise it, your credit or debit card, even though it’s safely stored in your wallet, gets charged for a purchase at some far-away payment terminal or for a cash withdrawal at a distant ATM. This scenario may sound unrealistic, but it isn’t. “Any moderately tech-savvy criminal could pull off such a trick, using what is known as a relay attack”, says Daniele Coppola, a doctoral student in the group of Professor Srdjan Capkun at ETH Zurich.
In a simple variant of the relay attack, all the fraudsters need is relatively cheap hardware, and software available on the internet to capture sensitive data from the victim’s payment card or phone and then relay that information to a distant terminal at which an accomplice would make the fraudulent payment. In that way, the criminals make it appear as if the victim’s card were close to the terminal where the payment is made, when, in fact, it can be kilometers away. The scam might remain unnoticed – except perhaps for a short delay in completing the payment. The victim may only become aware of it later if they spot the suspicious purchase in their card statement, unless they’ve chosen to be notified immediately after each transaction.
Coppola and a team of researchers from the groups of professors Srdjan Capkun and David Basin have come up with a proposal that protects consumers from the threat posed by potential digital pickpockets. The solution, called PURE (Payments with UWB Relay protection), extends the existing protocols for contactless payments by adding two steps to verify that a legitimate payment card or device and an authorised payment terminal are in fact close to each other. The team will present their findings and the proposed solution at the USENIX Security Symposium to be held from August 14 through 16 in Philadelphia, USA.
UWB chips keep fraudsters at bay
The EMV protocols for contactless payments, named after their creators Europay, Mastercard and Visa, have been in use since 1994. But only a few years ago have countermeasures to thwart relay attacks been implemented by Mastercard. “However, those protections aren’t sufficient to prevent all possible variants of relay attacks. PURE fills that gap by including a secure, fast, and reliable verification of the real distance”, says Coppola.
“Current protections aren’t sufficient to prevent all possible variants of relay attacks. PURE fills that gap by including a secure, fast, and reliable verification of the real distance.”Daniele Coppola
To that end, PURE exploits the precise ranging capabilities offered by ultra-wide band (UWB) technology on mobile and wearable devices. UWB chips have been built into most modern smartphones and wearables since Apple introduced them in 2019 with the release of the iPhone 11. The tiny radio chips send ultrashort pulses of electromagnetic waves that can be used to measure the distance to nearby devices within an error margin of less than 10 centimeters. In PURE, the ETH researchers adapt the technology to the context of contactless payments. The payment device and the terminal exchange unpredictable UWB pulses, thereby verifying their mutual proximity in a way that is secure even against a sophisticated attacker.
“With the near-field communication (NFC) technology currently used for contactless payments, the two criminals involved in a relay attack could be kilometers apart. Our UWB-based PURE protocol reduces possible relays to just about 50 centimeters, which makes it easy for a victim to become aware of the fraudsters”, says Coppola.
More secure and only slightly slower payments
Furthermore, PURE integrates smoothly into current standards for contactless payments. The parties involved in a transaction can use it without changing their backend systems. “In terms of security, PURE offers stronger guarantees than alternative relay protection mechanisms”, says Coppola. And the delay introduced by the two additional verification steps is negligible – only about 40 milliseconds – as the researchers showed in a prototype implementation on smartphones for the Mastercard payment network.
There’s one potential obstacle to the widespread adoption of PURE, though: Current contactless payment terminals aren’t equipped with UWB chips. The terminals would therefore need to be upgraded or phased out before PURE gets implemented on a large scale. However, there’s also the option of integrating PURE with currently available technology such as Apple’s Tap To Pay, which turns any iPhone into a payment terminal.
Coppola also points out that PURE is secure against a well-known type of attack that targets UWB ranging to falsify the distance between two devices. This attack, known as Ghost Peak, was demonstrated in 2022 by researchers from Srdjan Capkun’s group. “We were aware of this risk and have designed PURE to make it resistant to that sort of attack”, says Coppola.
Reference
Daniele Coppola, Giovanni Camurati, Claudio Anliker, Xenia Hofmeier, Patrick Schaller, David Basin, and Srdjan Capkun: PURE: Payments with UWB RElay-protection. 33rd USENIX Security Symposium, 15 August 2024. external pagePaper