1 00:00:06,570 --> 00:00:10,490 - In NFC, there's an element called the secure element 2 00:00:10,490 --> 00:00:12,870 and it's basically a secure microprocessor 3 00:00:12,870 --> 00:00:16,980 or a smart card chip that includes a cryptographic processor 4 00:00:16,980 --> 00:00:21,240 to facilitate the transaction authentication and security 5 00:00:21,240 --> 00:00:23,790 of those NFC transactions. 6 00:00:23,790 --> 00:00:25,780 It also provides secure memory 7 00:00:25,780 --> 00:00:27,693 for storing payment applications 8 00:00:27,693 --> 00:00:30,960 and can also support other types of secure transactions 9 00:00:30,960 --> 00:00:34,300 such as transit payment and ticketing, 10 00:00:34,300 --> 00:00:37,113 building access or secure identification. 11 00:00:38,930 --> 00:00:41,030 There's another entity called the acquirer 12 00:00:42,197 --> 00:00:43,220 and the acquirer is responsible 13 00:00:43,220 --> 00:00:46,820 for handling financial acquisitions in payment systems. 14 00:00:46,820 --> 00:00:50,570 That is, it facilitates the placement of the terminals 15 00:00:50,570 --> 00:00:51,730 at the retail locations 16 00:00:51,730 --> 00:00:54,310 and the communications of payment transactions 17 00:00:54,310 --> 00:00:58,120 to the payment networks for authorization and settlements. 18 00:00:58,120 --> 00:01:02,200 So to support NFC transactions the acquirer terminals, 19 00:01:02,200 --> 00:01:04,210 the merchant customer location 20 00:01:04,210 --> 00:01:08,530 they need to support NFC contactless transactions. 21 00:01:08,530 --> 00:01:11,780 Of course, you also have the actual payment network 22 00:01:11,780 --> 00:01:14,180 that facilitates the authorization processing 23 00:01:14,180 --> 00:01:18,270 and the settlement of bank card transactions. 24 00:01:18,270 --> 00:01:19,440 And of course, in the back end 25 00:01:19,440 --> 00:01:22,440 you have the actual bank that holds the funding account 26 00:01:22,440 --> 00:01:23,973 for the consumer payment. 27 00:01:24,880 --> 00:01:27,010 Here I'm showing the high level architecture 28 00:01:27,010 --> 00:01:30,478 of the NFC payment scheme for your reference. 29 00:01:30,478 --> 00:01:35,478 In NFC, you have different tags and to be exact 30 00:01:35,660 --> 00:01:38,660 there are four different tag types. 31 00:01:38,660 --> 00:01:42,490 Often a URL is embedded in an NFC tag 32 00:01:42,490 --> 00:01:46,410 and neurals take up only a small amount of memory 33 00:01:46,410 --> 00:01:50,790 which actually lowers the production cost of the NFC tags. 34 00:01:50,790 --> 00:01:54,970 And these tags can hold nearly any type of information 35 00:01:54,970 --> 00:01:58,161 depending on the memory that those tags have. 36 00:01:58,161 --> 00:02:03,161 So the more memory, the more expensive those tags can be. 37 00:02:05,380 --> 00:02:08,030 Let's review the actual NFC tag types. 38 00:02:08,030 --> 00:02:13,000 So type one, they have a collision protection 39 00:02:13,000 --> 00:02:17,080 and can be set to either read or rewrite 40 00:02:17,080 --> 00:02:19,770 or also read only mode. 41 00:02:19,770 --> 00:02:23,460 So read only programming prevents the information 42 00:02:23,460 --> 00:02:26,240 from being changed or altered. 43 00:02:26,240 --> 00:02:27,790 Then you also have type two, 44 00:02:27,790 --> 00:02:30,150 which also have data collisions protection 45 00:02:31,019 --> 00:02:33,340 and also they can be re-writable or read only. 46 00:02:33,340 --> 00:02:36,610 And they start at 48 bytes of memory, 47 00:02:36,610 --> 00:02:41,015 which is half of the bytes that the type one tags 48 00:02:41,015 --> 00:02:42,660 can hold, 49 00:02:42,660 --> 00:02:47,660 but can expand to be as large as type one tags as well. 50 00:02:47,780 --> 00:02:50,320 So again, little bit less memory, 51 00:02:50,320 --> 00:02:52,470 but the same functionality. 52 00:02:52,470 --> 00:02:54,840 Now, you also have type three tags, 53 00:02:54,840 --> 00:02:57,230 which are also equipped with data collision and protections 54 00:02:57,230 --> 00:03:00,160 and have a larger memory footprint. 55 00:03:00,160 --> 00:03:05,063 And they also have faster speeds than tag types one and two. 56 00:03:06,170 --> 00:03:09,870 Then lastly you have type four NFC tags 57 00:03:09,870 --> 00:03:14,870 that can actually use either NFC-A or NFC-B communication 58 00:03:15,800 --> 00:03:18,180 and have data collision protection as well. 59 00:03:18,180 --> 00:03:21,310 And the tag is actually set to either be re-writeable 60 00:03:21,310 --> 00:03:24,850 or read only whenever they are manufactured 61 00:03:24,850 --> 00:03:27,950 and the setting can not be changed by the user. 62 00:03:27,950 --> 00:03:30,020 So unlike the other NFC tags 63 00:03:30,020 --> 00:03:33,460 which can be altered at a later date, 64 00:03:33,460 --> 00:03:36,670 these ones at the moment that they're manufactured 65 00:03:36,670 --> 00:03:38,320 they're actually set either to read only 66 00:03:38,320 --> 00:03:40,190 or to be re-writable. 67 00:03:40,190 --> 00:03:42,490 Now, these type four NFC tags 68 00:03:42,490 --> 00:03:46,340 can hold 32 kilobytes of memory. 69 00:03:46,340 --> 00:03:50,530 And they're way faster than all the other previous tags. 70 00:03:50,530 --> 00:03:52,480 Now going back to NFC payments 71 00:03:52,480 --> 00:03:55,610 or any other NFC transaction attacks, 72 00:03:55,610 --> 00:03:59,860 there are several possible security attacks against NFC. 73 00:03:59,860 --> 00:04:03,230 So this includes eavesdropping, data corruption 74 00:04:03,230 --> 00:04:06,320 or modification, interception attacks 75 00:04:06,320 --> 00:04:08,620 and also physical thefts. 76 00:04:08,620 --> 00:04:11,610 Now eavesdropping is one of the most common concerns 77 00:04:11,610 --> 00:04:12,890 in NFC technology. 78 00:04:12,890 --> 00:04:16,530 So it occurs whenever a third party intercepts a signal 79 00:04:16,530 --> 00:04:18,250 between the two devices. 80 00:04:18,250 --> 00:04:21,680 And if that third party intercepted a data transmission 81 00:04:21,680 --> 00:04:24,930 between let's say a smartphone or credit card reader 82 00:04:24,930 --> 00:04:28,620 then they can have access to that personal card information 83 00:04:28,620 --> 00:04:31,550 if they're not encrypted properly. 84 00:04:31,550 --> 00:04:33,890 They may also pick up on other personal information 85 00:04:33,890 --> 00:04:35,330 passed between the two smartphones 86 00:04:35,330 --> 00:04:37,390 or the two devices as well. 87 00:04:37,390 --> 00:04:41,370 So there are two methods that can prevent eavesdropping. 88 00:04:41,370 --> 00:04:45,670 So one is to maintain the range of the NFC itself 89 00:04:45,670 --> 00:04:48,510 at a very close proximity. 90 00:04:48,510 --> 00:04:51,480 And another way is to establish a secure channel. 91 00:04:51,480 --> 00:04:53,330 When the secure channel is established, 92 00:04:53,330 --> 00:04:55,320 the information is encrypted 93 00:04:55,320 --> 00:04:59,250 and only authorized devices can decode it. 94 00:04:59,250 --> 00:05:00,490 Now, another security concern 95 00:05:00,490 --> 00:05:03,230 is data manipulation or corruption. 96 00:05:03,230 --> 00:05:07,040 And this happens whenever the attacker or the third party 97 00:05:07,040 --> 00:05:10,600 intercepts the signal that is being sent 98 00:05:10,600 --> 00:05:13,670 between the two devices and it changes it 99 00:05:13,670 --> 00:05:18,270 and then sends that information back to the victim. 100 00:05:18,270 --> 00:05:19,500 An intersection attack 101 00:05:19,500 --> 00:05:21,960 is actually similar to data manipulation 102 00:05:21,960 --> 00:05:25,000 and an attacker can act as a middleman 103 00:05:25,000 --> 00:05:26,810 between two NFC devices 104 00:05:26,810 --> 00:05:30,110 and then receive and alter the information 105 00:05:30,110 --> 00:05:31,900 as it passes between them. 106 00:05:31,900 --> 00:05:36,360 And this type of attack is very difficult and less common. 107 00:05:36,360 --> 00:05:38,850 Now to prevent it, the device should be 108 00:05:38,850 --> 00:05:41,150 in active/passive pairing. 109 00:05:41,150 --> 00:05:44,920 This means that only one device receives information 110 00:05:44,920 --> 00:05:46,360 and the other one sends the information 111 00:05:46,360 --> 00:05:50,032 instead of both devices receiving and passing information 112 00:05:50,032 --> 00:05:51,282 simultaneously. 113 00:05:52,450 --> 00:05:54,850 Let's actually take a look at a case study 114 00:05:54,850 --> 00:05:57,100 of an NFC relay attack 115 00:05:57,100 --> 00:06:01,040 that was documented by an anonymous author 116 00:06:01,040 --> 00:06:05,070 in a white paper that I uploaded to our GitHub repository. 117 00:06:05,070 --> 00:06:08,600 In that paper, the author shows how to perform 118 00:06:08,600 --> 00:06:12,830 these relay attacks using Android devices. 119 00:06:12,830 --> 00:06:14,770 They prove the feasibility 120 00:06:14,770 --> 00:06:18,860 of using off the shelf NFC enabled Android devices 121 00:06:18,860 --> 00:06:20,530 with no custom firmware 122 00:06:20,530 --> 00:06:24,860 or even without requiring you to route the device. 123 00:06:24,860 --> 00:06:27,740 So I posted the details of that research 124 00:06:27,740 --> 00:06:29,270 in the GitHub repository 125 00:06:29,270 --> 00:06:33,103 that we have for the course for your reference.