Researchers funded by the National Science Foundation have developed a method to secure retail transactions using small samples of audio to authenticate devices equipped with Near-Field Communication (NFC) technology.
The sound-detection technology uses the simple notion of context. With NFC technology, context means the NFC-enabled device and the reader that collects the data from the device must be in close proximity to one another.
The researchers are matching audio recorded in real-time by the devices to ensure they are in the same vicinity as a means to prevent so-called relay attacks, which trick users into approving purchases they did not intend to make.
The so-called “mafia fraud” attacks relay NFC transaction approval data from one reader to another, allowing hackers to approve purchases while the device owner gets stuck with the bill.
“We make use of the ambient characteristics of the environment where the devices lie,” said Nitesh Saxena, an assistant professor in the University of Alabama at Birmingham’s Computer and Information Sciences department and director and founder of the university’s Security and Privacy In Emerging Computing and Networking Systems (SPIES) research group. “We are saying if the devices are close than the environment’s [sound] characteristics should be the same.”
Two attackers have to work in sync while the intended victim is executing the NFC transaction. While it sounds complex, Saxena says it is a well-known attack in the security community and has been proven out in chip-and-pin credit card systems.
“[Securing the transaction] is a hard problem,” says Saxena. “Even if you do cryptography, you cannot protect against it. What is happening is you are relaying data and the user is approving the transaction.”
Last week, the project leaders presented a paper, entitled Secure Proximity Detection for NFC Devices based on Ambient Sensor Data, at the annual European computer security research event ESORICS.
The paper was co-authored with Tzipora Halevi, Saxena’s former Ph.D. student at the Polytechnic Institute of New York University; Di Ma, a faculty member at the University of Michigan-Dearborn; and Tuo Xiang, a Ph.D. student at the University of Michigan-Dearborn. Also, additional research was conducted by UAB students Sam Cleveland and Chatchai Satienpattanakul.
The audio detection works by recording a few seconds of ambient sound using microphones embedded in each device while the devices are communicating. Before the transaction is approved, the sound clips are compared to validate the devices are in the same location.
The research found that audio detection rates were 100% accurate.
And the beauty of the technology is that end-users do nothing outside of the normal flow of an NFC transaction. Software embedded or added on to their digital wallet records sound using the device’s built-in microphone. The audio clip is sent along with the user’s NFC data. On the back-end, the NFC reader needs a microphone, and software must be installed on the system used by a bank to approve an NFC-based transaction.
The attack is carried out using a compromised reader that transmits the device user’s payment approval data to a second reader in a different location. For example, the compromised reader may be in a restaurant and the second in a jewelry store.
The payment approval is received by the reader in the jewelry store and its sends a confirmation back to the compromised reader in the restaurant, which sends it to the end-user’s device. So the attacker in the jewelry story leaves with his merchandise and the victim in the restaurant ends up with the bill (in addition to his food tab).
The audio-detection security technique could prove valuable to consumer confidence in NFC technology. Juniper Research estimates that mobile payments, which include mobile shopping, money transfers, and NFC transactions, will reach $670 billion in the next three years.
Saxena and his students are collaborating with Google and working with the company’s Wallet technology, and the group has developed the audio-matching software banks would need to run on their systems.
“We are looking to take it to the next level,” said Saxena.
The group is also looking at other detection methods such as light and extending the sensor concept to RFID technology and smart cards
“It is very interesting that these physical characteristics could be utilized with these digital characteristics,” said Saxena. “They are hard to manipulate and that is the very interesting aspect. “