There is an increasing usage in the banking sector of Smartphones enabled with Near Field Communication (NFC), to improve the services offered for the customers. This usage requires a security enhancement of the systems that employ this technology like the Automated Teller Machines (ATMs). One example is the Color Wheel Personal Identification Number (CWPIN) security protocol designed to authenticate users on ATMs using NFC enabled smartphones without typing the PIN code directly. CWPIN has been compared in the literature to several other protocols and was considered easier to use, more cost-effective and more resistant to various attacks on ATMs such as card reader skimming, keylogger injection, shoulder surfing, etc. Nevertheless, we demonstrate in this paper that CWPIN is vulnerable to the multiple video recordings intersection attack. We do so through concrete examples and a thorough analysis that reveals a high theoretical probability of attack success. A malicious party can use one or two hidden cameras to record the ATM and smartphone screens during several authentication sessions, then disclose the user's PIN code by intersecting the information extracted from the video recordings. In a more complex scenario, these video recordings could be obtained by malware injected into the ATM and the user's smartphone to record their screens during CWPIN authentication sessions. Our intersection attack requires a few recordings, usually three or four, to reveal the PIN code and can lead to unauthorized transactions if the user's smartphone is stolen. We also propose a mitigation of the identified attack through several modifications to the CWPIN protocol and discuss its strengths and limitations.
Read full abstract