Mobile contactless payments have grown exponentially and Host Card Emulation (HCE) – the possibility to emulate payment cards on a mobile device, without dependency on special Secure Element hardware – has also boosted the number of applications.
During his talk at HITBSecConf2017 in Amsterdam tomorrow, Slawomir Jasek, a Senior IT Security Consultant at SecuRing, will reveal the details of research which demonstrated that it’s possible to copy mobile contactless card data, enrol it to another phone, and use it for payment.
HCE support for Android is usually delivered as an external, certified “black-box” library to compile in your application. Obviously vendors promise the highest level of security – including: card data tokenization, device fingerprinting, code obfuscation, additional authorization, etc. For mobile payments, they often successfully convince the implementing bank that it is technically impossible to clone a virtual card.
Mobile payment card cloning: What’s the risk?
In order to access card data stored on a device, the attacker needs to obtain root access. Additionally, each implementation uses different security countermeasures, and thus requires individual effort to exploit them. After having successfully cloned the card, the attacker can make contactless payments using his own device.
Any application that uses HCE (Host Card Emulation) technology is at risk, which means Android and Windows Phone mobile contactless payments applications. iOS uses a hardware element (so called Secure Element) for storing and accessing card data. It works like a tiny HSM, so stealing payment card data is much more difficult.
Payment providers and banks deploying HCE technology in their mobile payment solutions should be aware of this risk, test their systems against a card cloning attack scenario, and take additional countermeasures such as device scoring, malware detection, integrity protections and server side fraud detection.
HCE card clonning is possible “by design” and it’s a result of implementing card data storage in the software. That’s why it’s not possible to completely prevent the cloning.
Video: Attack scenario
The PoC video below shows such an attack scenario for Android Pay, but researchers claim an attack is also possible for other payment applications. General HCE cloning techniques are always similar, but there are significant differences between the attacked applications due to different countermeasures and obstacles for each of the researched applications, such as device fingerprinting and integrity protection.
Due to these differences, the cloning process is not universal and it is difficult to perform a mass scale attack working out of the box for all implementations. But still, mobile malware could leverage the cloning possibility and adapt to a certain payment application, just like when it comes to banking malware.
It’s important to note that the PoC was aimed only at verifying the possibility of cloning card data and making a single, low amount transaction. Researchers have not tested the effectiveness of potential fraud detection mechanisms in case of a higher volume of transactions.