Mobile device experts estimate payments using Near Field Communication (NFC)-equipped cell phones will account for $240 billion in spending worldwide in 2012 and more than $670 billion by 2015.
But researchers worry the current systems are insecure and vulnerable to attack by criminals. That worry may soon go by the wayside as researchers at the University of Alabama at Birmingham created a verification mechanism that will eliminate the security weaknesses of NFC — a form of radio-frequency identification (RFID) — and help prevent theft of personal and financial information from mobile devices.
Nitesh Saxena, Ph.D., is director and founder of UAB’s Security and Privacy In Emerging Computing and Networking Systems research group, better known as SPIES. His team developed software that can determine the distance between a valid transaction reader and a valid NFC phone, thus preventing “ghost and reader” attacks.
In these attacks, a fraudster intercepts a consumer’s account information during a legitimate transaction (at a restaurant, for instance) and relays it to a confederate making a purchase at a different location (such as a jewelry store). The consumer’s account ends up charged for both items; by the time they discover the fraud the criminals have escaped. Researchers have previously demonstrated the feasibility of such attacks against the “chip-and-PIN” credit cards used extensively in Europe.
The system developed by UAB researchers can prevent these attacks by using a brief snippet of audio from the surrounding environment to confirm the user’s phone is physically close to the reader. “If the audio signal between the phone and the receiver does not match, then the transaction is rejected,” said Saxena, an assistant professor in the UAB Department of Computer and Information Sciences and a member of UAB’s Center for Information Assurance and Joint Forensics Research.
Saxena’s team used two Nokia N97 cellphones in the project, with one simulating an RFID tag and the other simulating an RFID reader. The researchers recorded audio samples at seven locations, including retail stores and fast-food restaurants. Each test group used five pairs of one-second recording segments.
“The efficiency of the product relies on the fact that once the software is trained, the bank server only needs to calculate the similarity between two signals and compare them to a specific threshold,” Saxena said. “We had zero false acceptances and zero false rejections in our initial testing, so I would say the system is very robust to errors as well as attacks.”
Consumers would only need to download an app that records and sends data to their financial institution, Saxena said. The system also requires microphones to work, but as Saxena points out, every cellphone already has a built-in microphone. Institutions will need to implement a detection algorithm in their servers, but consumers can receive maximum protection with minimal effort, he said.
“This is a rare security method that does not require the consumer to do anything to protect their identity or their financial data,” Saxena said. “The system we designed will significantly raise the bar against ‘ghost and reader’ attacks without negatively affecting the current usage model.”