Pricing data tampering in automated fare collection with NFC-equipped smartphones
Automated Fare Collection (AFC) systems have been globally deployed for decades, particularly in the public transportation network where the transit fee is calculated based on the length of the trip (a.k.a., distance-based pricing AFC systems). Although most messages of AFC systems are insecurely tr...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2021
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/151320 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-151320 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1513202021-06-16T02:47:18Z Pricing data tampering in automated fare collection with NFC-equipped smartphones Dang, Fan Zhai, Ennan Li, Zhenhua Zhou, Pengfei Mohaisen, Aziz Bian, Kaigui Wen, Qingfu Li, Mo School of Computer Science and Engineering Engineering::Computer science and engineering Automated Fare Collection Near Field Communication Automated Fare Collection (AFC) systems have been globally deployed for decades, particularly in the public transportation network where the transit fee is calculated based on the length of the trip (a.k.a., distance-based pricing AFC systems). Although most messages of AFC systems are insecurely transferred in plaintext, system operators did not pay much attention to this vulnerability, since the AFC network is basically isolated from the public network (e.g., the Internet) - there is no way of exploiting such a vulnerability from the outside of the AFC network. Nevertheless, in recent years, the advent of Near Field Communication (NFC)-equipped smartphones has opened up a channel to invade into the AFC network from the mobile Internet, i.e., by Host-based Card Emulation (HCE) over NFC-equipped smartphones. In this paper, we identify a novel paradigm of attacks, called LessPay, against modern distance-based pricing AFC systems, enabling users to pay much less than what they are supposed to be charged. The identified attack has two important properties: 1) it is invisible to AFC system operators because the attack never causes any inconsistency in the back-end database of the operators; and 2) it can be scalable to affect a large number of users (e.g., 10,000) by only requiring a moderate-sized AFC card pool (e.g., containing 150 cards). To evaluate the efficacy of the attack, we developed an HCE app to launch the LessPay attack; and the real-world experiments demonstrate not only the feasibility of the LessPay attack (with 97.6 percent success rate) but also its low cost in terms of bandwidth and computation. Finally, we propose, implement and evaluate four types of countermeasures, and present security analysis and comparison of these countermeasures on defending against the LessPay attack. Ministry of Education (MOE) National Research Foundation (NRF) This work is supported by the National Key R&D Program of China under grant 2018YFB1004700, the High-Tech R&D Program of China (“863–China Cloud” Major Program) under grant 2015AA01A201, the National Natural Science Foundation of China (NSFC) under grants 61471217, 61432002 and 61632020. M. Li is supported by the Singapore MOE Tier-1 grant RG125/17, Tier-2 grant MOE2016-T2-2- 023, and NTU CoE grant M4081879. Aziz Mohaisen is supported by NSF under grant CNS-1643207 and NRF under grant NRF-2016K1A1A2912757. 2021-06-16T02:47:18Z 2021-06-16T02:47:18Z 2018 Journal Article Dang, F., Zhai, E., Li, Z., Zhou, P., Mohaisen, A., Bian, K., Wen, Q. & Li, M. (2018). Pricing data tampering in automated fare collection with NFC-equipped smartphones. IEEE Transactions On Mobile Computing, 18(5), 1159-1173. https://dx.doi.org/10.1109/TMC.2018.2853114 1536-1233 0000-0002-9949-6987 0000-0001-7286-122X 0000-0003-0136-6082 0000-0002-4278-2771 0000-0002-6047-9709 https://hdl.handle.net/10356/151320 10.1109/TMC.2018.2853114 2-s2.0-85049485874 5 18 1159 1173 en RG125/17 MOE2016-T2-2- 023 NRF-2016K1A1A2912757 M4081879 CNS-1643207 IEEE Transactions on Mobile Computing © 2018 IEEE. All rights reserved. |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Engineering::Computer science and engineering Automated Fare Collection Near Field Communication |
| spellingShingle |
Engineering::Computer science and engineering Automated Fare Collection Near Field Communication Dang, Fan Zhai, Ennan Li, Zhenhua Zhou, Pengfei Mohaisen, Aziz Bian, Kaigui Wen, Qingfu Li, Mo Pricing data tampering in automated fare collection with NFC-equipped smartphones |
| description |
Automated Fare Collection (AFC) systems have been globally deployed for decades, particularly in the public transportation network where the transit fee is calculated based on the length of the trip (a.k.a., distance-based pricing AFC systems). Although most messages of AFC systems are insecurely transferred in plaintext, system operators did not pay much attention to this vulnerability, since the AFC network is basically isolated from the public network (e.g., the Internet) - there is no way of exploiting such a vulnerability from the outside of the AFC network. Nevertheless, in recent years, the advent of Near Field Communication (NFC)-equipped smartphones has opened up a channel to invade into the AFC network from the mobile Internet, i.e., by Host-based Card Emulation (HCE) over NFC-equipped smartphones. In this paper, we identify a novel paradigm of attacks, called LessPay, against modern distance-based pricing AFC systems, enabling users to pay much less than what they are supposed to be charged. The identified attack has two important properties: 1) it is invisible to AFC system operators because the attack never causes any inconsistency in the back-end database of the operators; and 2) it can be scalable to affect a large number of users (e.g., 10,000) by only requiring a moderate-sized AFC card pool (e.g., containing 150 cards). To evaluate the efficacy of the attack, we developed an HCE app to launch the LessPay attack; and the real-world experiments demonstrate not only the feasibility of the LessPay attack (with 97.6 percent success rate) but also its low cost in terms of bandwidth and computation. Finally, we propose, implement and evaluate four types of countermeasures, and present security analysis and comparison of these countermeasures on defending against the LessPay attack. |
| author2 |
School of Computer Science and Engineering |
| author_facet |
School of Computer Science and Engineering Dang, Fan Zhai, Ennan Li, Zhenhua Zhou, Pengfei Mohaisen, Aziz Bian, Kaigui Wen, Qingfu Li, Mo |
| format |
Article |
| author |
Dang, Fan Zhai, Ennan Li, Zhenhua Zhou, Pengfei Mohaisen, Aziz Bian, Kaigui Wen, Qingfu Li, Mo |
| author_sort |
Dang, Fan |
| title |
Pricing data tampering in automated fare collection with NFC-equipped smartphones |
| title_short |
Pricing data tampering in automated fare collection with NFC-equipped smartphones |
| title_full |
Pricing data tampering in automated fare collection with NFC-equipped smartphones |
| title_fullStr |
Pricing data tampering in automated fare collection with NFC-equipped smartphones |
| title_full_unstemmed |
Pricing data tampering in automated fare collection with NFC-equipped smartphones |
| title_sort |
pricing data tampering in automated fare collection with nfc-equipped smartphones |
| publishDate |
2021 |
| url |
https://hdl.handle.net/10356/151320 |
| _version_ |
1703971245466320896 |