UAB system improves mobile payment security, protects personal info

New security mechanism uses proximity-detection approach to prevent “mafia fraud” attacks, theft of financial information.

Nitesh_Saxena_s

Mobile device experts estimate that payments using Near Field Communication-equipped cellphones will account for $240 billion in spending worldwide in 2012 and more than $670 billion by 2015. But many researchers are concerned that the current systems are insecure and vulnerable to attack by criminals. Researchers at the University of Alabama at Birmingham have created a verification mechanism that will eliminate the security weaknesses of NFC — a form of radio-frequency identification, or RFID — and help prevent theft of personal and financial information from mobile devices.

Nitesh Saxena, Ph.D., is director and founder of UAB’s Security and Privacy In Emerging Computing and Networking Systems research group, better known as SPIES. His team developed software that can determine the distance between a valid transaction reader and a valid NFC phone, thus preventing “ghost and reader” attacks, also known as “mafia fraud” attacks.

In these attacks, a fraudster intercepts a consumer’s account information during a legitimate transaction (at a restaurant, for instance) and relays it to a confederate making a purchase at a different location (such as a jewelry store). The consumer’s account is charged for both items; by the time the fraud is revealed the criminals have escaped. Researchers have previously demonstrated the feasibility of such attacks against the “chip-and-PIN” credit cards used extensively in Europe.

The system developed by UAB researchers can prevent these attacks by using a brief snippet of audio from the surrounding environment to confirm that the user’s phone is physically close to the reader. “If the audio signal between the phone and the receiver does not match, then the transaction is rejected,” says Saxena, an assistant professor in the UAB Department of Computer and Information Sciences and a member of UAB’s Center for Information Assurance and Joint Forensics Research.

The system developed by UAB researchers can prevent these attacks by using a brief snippet of audio from the surrounding environment to confirm that the user’s phone is physically close to the reader.

The results are highlighted in a paper titled “Secure Proximity Detection for Near Field Communication Devices based on Ambient Sensor Data” that is being presented at the European Symposium on Research in Computer Security today. Saxena’s team used two Nokia N97 cellphones in the project, with one simulating an RFID tag and the other simulating an RFID reader. The researchers recorded audio samples at seven locations, including retail stores and fast-food restaurants. Each test group used five pairs of one-second recording segments.

“The efficiency of the product relies on the fact that once the software is trained, the bank server only needs to calculate the similarity between two signals and compare them to a specific threshold,” says Saxena. “We had zero false acceptances and zero false rejections in our initial testing, so I would say the system is very robust to errors as well as attacks.”

Consumers would only need to download an app that records and sends data to their financial institution, Saxena explains. The system also requires microphones to work, but as Saxena points out, every cellphone already has a built-in microphone. Institutions will need to implement a detection algorithm in their servers, but consumers can receive maximum protection with minimal effort, he says.

“This is a rare security method that does not require the consumer to do anything to protect their identity or their financial data,” says Saxena. “The system we designed will significantly raise the bar against ‘ghost and reader’ attacks without negatively affecting the current usage model.”

The paper was co-authored with Tzipora Halevi, Saxena’s former Ph.D. student at the Polytechnic Institute of New York University; Di Ma, a faculty member at the University of Michigan-Dearborn; and Tuo Xiang, a Ph.D. student at the University of Michigan-Dearborn. Additional research was provided by UAB students Sam Cleveland and Chatchai Satienpattanakul. The research was funded by the National Science Foundation.