Security Analysis of Mobile Payment Systems

Mobile payments have evolved from mobile banking to contactless payment which uses radio communication technology. NFC has enabled mobile devices to emulate contactless cards either by using hardware-based Secure Element (SE) or software-based i.e. Host Card Emulation (HCE). We provide a detailed comparison between the different forms of SE. We provide an analysis of HCE and a security mechanism implemented in Android 4.4 and above, which turns off the NFC controller and application controller when the device display screen is disabled, to prevent device skimming. We present a flaw in the design of the implementation of this security mechanism and provide a proof-of-concept for the same. In addition, we present different attack vectors like man-in-the-middle attack and denial-of-service attack for HCE-based applications. We also provide an analysis of the Vodafone NFC SIM card payment solution and describe different components involved. We also present different attack vectors like spoofing and relay attack on the Vodafone NFC SIM card payment solution. We also propose two countermeasures for relay attacks which are based on challenge response protocol.