All You Can Eat or Breaking a Real-World Contactless Payment System
Timo Kasper, Michael Silbermann, Christof Paar
Financial Cryptography and Data Security, 10 January 25-28, 2010, to be published in Springer LNCS.
We investigated a real-world contactless payment application based on mifare Classic cards. In order to analyze the security of the payment system, we combined previous cryptanalytical results and implemented an improved card-only attack with customized low-cost tools, that is to our knowledge the most efficient practical attack to date. We found several flaws implying severe security vulnerabilities on the system level that allow for devastating attacks including identity theft and recharging the amount of money on the cards. We practically verify and demonstrate the attacks on the commercial system.[pdf] [bib]