Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

NFC Payments: The Art of Relay & Replay Attacks

Salvador Mendoza

4 vote(s)

In the last few years, digital payment methods have had an incredible adoption rate in consumer devices around the world. Many big companies are adding NFC(Near Field Communication) support to all sorts of devices to allow consumers to make monetary transactions. Some of these companies are protecting themselves by implementing tokenization as part of the payment technology. However, it is well documented that it is possible to bypass these technologies using simple mechanisms. With all these changes in the NFC ecosystem, the information security field is not well prepared to protect against the increasing new attacks in this area.

Relay and replay attacks are becoming more common in the payment industry. Getting more complex and sophisticated day by day. We are not just seeing simple skimming techniques but complex attack vectors that are a combination of technologies and implementations involving SDR(Software-Defined Radio), NFC, APDU(Application Protocol Data Unit), hardware emulation design, specialized software, tokenization protocols and social engineering.

In this talk, we will discuss what these attacks are, or what kind of hardware or software could be implemented. Also we will talk about how anyone already has the hardware necessary to carry out one of these attacks or for $35 dollars someone can create a device to do so. Adding that we will show real scenarios where these technologies combined with RFID(Radio Frequency Identification) emulation could exploit any type of NFC transaction. But even worse, how the same attack methods could exploit new NFC implementations for years to come.

This talk uses exploitation hardware and demos; the presentation will include SDR communication, RFID emulation, APDU communication, extraction of data from physical and digital cards.


Salvador Mendoza is a security researcher focusing in tokenization processes, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods at Black Hat USA, DEF CON 24/25, DerbyCon, Ekoparty, BugCON, Troopers and 8.8. Salvador designed different tools to pentest mag-stripe and tokenization processes. In his designed toolset includes MagSpoofPI, JamSpay, TokenGet, SamyKam, BlueSpoof and lately NFCopy.