Computing Science. Tap-Tap and Pay (TTP): Preventing Man-In-The-Middle Attacks in NFC Payment Using Mobile Sensors.

摘要

The reader-and-ghost attack is a real concern in mobile NFC payment applications. A malicious reader relays the user's NFC-enabled mobile phone to a remote legitimate reader to charge for a higher amount than what the user expects to pay. Using an NFC shield cannot prevent the attack, since the user consciously instantiates the NFC payment, though without realizing that the reader is controlled by an attacker. Recent solutions generally involve using ambient sensors to measure the ambient properties of the surrounding environment to ensure that the NFC-enabled phone and the reader are at nearby locations. Unfortunately, all these solutions fail completely once the attacker's reader and the legitimate reader are located in the same or similar physical environment. In this paper, The authors propose the first and currently the only viable technical solution to defeat the reader-and-ghost attack even when the attacker' reader and the legitimate one are located in the same physical environment. Their solution is called 'Tap-Tap and Pay' (TTP). It works by asking the user to physically tap the reader twice in succession to initiate an NFC payment. The physical tapping causes random but correlated vibrations at both devices, which are hard to forge (or reproduce) and can be reliably measured by accelerometers. Accordingly, we design the TTP protocol such that the NFC transaction will proceed only if the two vibration signals are found sufficiently similar. As compared with previous solutions, theirs is fast, simple to use, easy to deploy, and above all, prevents attacks even if the attacker's reader and the legitimate one are located in the same environment.