Threat Category: NFC-based
ID: PAY-0
Threat Description: Certain NFC implementations may be vulnerable to relay attacks, which is where an attacker relays messages between two parties, similar to a proxy. This could be especially dangerous in NFC payment solutions, such as Apple Pay and Google Pay.
Threat Origin
iOS Security: iOS 9.3 and Later 1
Exploit Examples
Practical NFC peer-to-peer relay attack using mobile phones. 2
CVE Examples
Not Applicable
Possible Countermeasures
To reduce opportunity for this attack, disable NFC when that feature is not in use.
To avoid this attack, do not activate - or if no longer in use, deactivate - native mobile payment features, such as Apple Pay.
To prevent this attack, ensure native payment services (e.g. Apple Pay) are configured to require user interaction to complete any contactless payment transaction.
References
iOS Security: iOS 9.3 or later, white paper, Apple, 2016. www.apple.com/business/docs/iOS_Security_Guide.pdf [accessed 8/24/16]. ↩
L. Francis et al., “Practical NFC peer-to-peer relay attack using mobile phones”, in Proceedings of the 6th International Conference on Radio Frequency Identification: Security and Privacy Issues, 2010, pp. 35-49; https://eprint.iacr.org/2010/228.pdf [accessed 8/24/2016] ↩