Abstract:
The fostering of NFC in everyday tasks and with growth in applications involving contactless
transactions based on NFC; there is a requirement from users and industry to address the
security issues affecting mobile payments. The current NFC security standards ECMA-385
and ECMA-386 are inadequate to address most of the security concerns such as privacy
infringements, unauthorized access to financial data, theft of mobile data exchanged between
terminal and mobile device. By considering the current and future security requirements, we
designed a NFC based security protocol for financial applications, which addresses security
requirements holistically and provides local and remote mutual authentication,
confidentiality, integrity and non-repudiation. It is based on some common and extended
security features which help to increase the reliability of NFC based systems. After
designing, we verified our protocol using formal verification tools like Scyther and
established our designed protocol resists against spoofing attack, man-in-the-middle attack,
replay and skimming attacks. It ensures the secrecy of transaction data, privacy of the users
and also ensures that only authenticated and authorized NFC device holder and PoS terminals
are securely exchanging financial data to perform the transaction. As a proof of concept, we
implemented our solution using Java Technology for Android based NFC mobile devices and
successfully deployed it in our local environment to test its correctness and behavior. We
also provided a comprehensive comparison of our protocol with other NFC based financial
protocols. We found that the mutual authentication, confidentiality, integrity, authorization
and non-repudiation services help to protect against most of the security attacks related to
mobile financial transactions. Since this protocol is flexible, generalized and reliable, so the
whole system is not depended on the third parties and any prior knowledge.
