Loading Seminars

« All Seminars

  • This seminar has passed.

Practical and Formal Analysis Security of Contactless Mobile Payments

8 December 2021 @ 3:00 pm - 4:00 pm

Abstract: In this talk, we will look at the (in)security of contactless payments made via mobile apps. These systems are a composition of the mobile app (e.g., Samsung Pay, Apple Pay) and their underlying payment protocols provided via the card registered within (e.g., Visa, Mastercard, etc.). One added complexity comes also from the various “modes” in which the apps operate; for instance, there is a standard mode as well as transit/travel mode, in which the user authentication (via fingerprint or Face-ID) on the mobile device is foregone in order to provide better usability when paying at a metro/train ticketing gate. Primarily, we show that we can abuse this usability feature of Apple Pay in Travel Mode when set up with a Visa card. The abuse results in a fraudulent payment without user-authentication, of any value, to any point-of-sale including points-of-sales what are not linked to transport companies. Also, we show that the same attack does not apply to Apple Pay with a Mastercard registered with it, or to Samsung Pay. We will explain the practical aspects of the attack, as well as some elements of formal security verification.

This work will be published at IEEE S&P 2022, and it is in collaboration with Andreea Ina Radu, Tom Chothia, Chris Newton and Liqun Chen. It is funded under the Timetrust project, which runs under the RISE research institute (https://www.ukrise.org/) funded by the NCSC and the EPSRC.

Attendance via Zoom (Meeting ID: 980 0624 1645, Passcode: kDxjd5dq)

Livestream via YouTube

Youtube VoD


8 December 2021
3:00 pm - 4:00 pm
Seminar Tags:


Ioana Boureanu (University of Surrey)

Ioana is currently a Senior Lecturer at University of Surrey, where she also Royal Society Leverhulme Fellow. Her main interests are formal analysis and cryptographic proofs for different secure systems. Her work found applications with predilection in authenticated key exchange, proximity-checking, and payment systems. She acts as a PI on several EPSRC, NCSC and Royal Society funded projects — whereby she is particularly interested in developing new tools for privacy and security verification. Finally, Ioana is the Deputy Director of Surrey’s NCSC-certified Academic Centre of Cyber Security Research (ACE CSR) and the Academic Centre of Cyber Security Education (ACE CSE).

Leave a Reply