Challenge-response mutual authentication protocol for EMV contactless cards

Abstract

Europay MasterCard and Visa (EMV) is the most popular payment protocol with almost 7.1 billion EMV based credit and debit cards around the world. This payment protocol supports different kinds of payment transactions such as Chip & PIN, Chip & signature, contactless card, and mobile payment transactions. This paper focuses on the EMV contactless card transactions and highlights one of such transactions’ vulnerabilities that allows attackers to gain access to most of the EMV card sensitive information using off-the-shelf hardware and software. In the EMV card payment protocol, the EMV card must authenticate itself as a genuine card to the point of Sale (POS) in each transaction while the reverse is not happening. An attacker can take an advantage of such vulnerabilities in the EMV specifications especially in contactless cards due to the wireless connectivity between the cards and POSs. In this paper, we propose a cost-effective mutual-authentication solution that relies on two-way challenge-response between EMV contactless cards and POSs in order to prevent sniffing attacks launched by NFC enabled readers or smartphones. To demonstrate the viability of the proposed authentication protocol, we present a Java framework to illustrate the practicality of the proposed solution. The paper argues that the proposed protocol can be easily integrated into the EMV infrastructure with minor changes at the personalization and transaction phases.