Security and Privacy Implications of NFC-enabled Contactless Payment Systems

Nowadays, contactless payments are becoming increasingly common as new smartphones, tablets, point-of-sale (POS) terminals and payment cards (often termed "tap-and-pay" cards) are designed to support Near Field Communication (NFC) technology. However, as NFC technology becomes pervasive, there have been concerns about how well NFC-enabled contactless payment systems protect individuals and organizations from emerging security and privacy threats. In this paper, we examine the security of contactless payment systems by considering the privacy threats and the different adversarial attacks that these systems must defend against. We focus our analysis on the underlying trust assumptions, security measures and technologies that form the basis on which contactless payment cards and NFC-enabled mobile wallets exchange sensitive transaction data with contactless POS terminals. We also explore the EMV and ISO standards for contactless payments and disclose their shortcomings with regards to enforcing security and privacy in contactless payment transactions. Our findings shed light on the discrepancies between the EMV and ISO standards, as well as how card issuing banks and mobile wallet providers configure their contactless payment cards and NFC-enabled mobile wallets based on these standards, respectively. These inconsistencies are disconcerting as they can be exploited by an adversary to compromise the integrity of contactless payment transactions.