Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Mastercard armours its contactless cards against relay attacks

Rest of industry still sitting on its hands over 9-year-old threat

Elements of the payment card industry have introduced a new contactless payment card security feature, designed to defend against relay attacks.

Relay attacks were first demonstrated nine years ago by a team of computer scientists Saar Drimer and Steven Murdoch.

The pair also suggested how the security flaw can be mitigated using a technique called distance bounding). Mastercard has taken up this defence, meaning its cards (at least) are protected.

“Finally the banks are now implementing this defence, though only for contactless cards (as they are more vulnerable than the contact Chip and PIN cards that were available in 2007), and so far only for MasterCard cards,” Murdoch told El Reg.

Murdoch says that although the relay attack is real it’s unclear whether or not fraud based on the security weakness has actually taken place.

“I’m not aware of any confirmed cases, other than academic experiments. However, unless this were a widespread fraud, I don’t think I would have heard about it even if it had happened,” Murdoch explained.

“There have been bank customers who have come to me or colleagues to say that they have been refused a refund for a Chip and PIN transaction that they said did not take place. In some of these cases it might have been a relay attack, but in almost every case it is never established what happened.”

“The banks have taken the position that a relay attack is unlikely and since the decision of whether a bank refunds the customer is based on the most likely explanation, the bank always presents another scenario as being the most likely (normally customer negligence),” he added.

Murdoch only found out that MasterCard had moved to defend against the relay attack because he regularly looks at the EMVCo specifications and noticed this change.

“While the new feature is far from a secret, I don’t think MasterCard are drawing attention to it,” he explained. “Now that the MasterCard specification is out I am sure the other card schemes have considered what they will do, but I have no indication of a decision.”

The security researcher has put together an article on Mastercard’s move and relay attacks more generally for the University College London information security group’s Bentham's Gaze blog, which can be found here.

Pass the baton: Relay attack [source: UCL blog post]

 

Similar topics

TIP US OFF

Send us news


Other stories you might like