Please use this identifier to cite or link to this item: https://hdl.handle.net/10356/151320
Title: Pricing data tampering in automated fare collection with NFC-equipped smartphones
Authors: Dang, Fan
Zhai, Ennan
Li, Zhenhua
Zhou, Pengfei
Mohaisen, Aziz
Bian, Kaigui
Wen, Qingfu
Li, Mo
Keywords: Engineering::Computer science and engineering
Issue Date: 2018
Source: Dang, F., Zhai, E., Li, Z., Zhou, P., Mohaisen, A., Bian, K., Wen, Q. & Li, M. (2018). Pricing data tampering in automated fare collection with NFC-equipped smartphones. IEEE Transactions On Mobile Computing, 18(5), 1159-1173. https://dx.doi.org/10.1109/TMC.2018.2853114
Project: RG125/17
MOE2016-T2-2- 023
NRF-2016K1A1A2912757
M4081879
CNS-1643207
Journal: IEEE Transactions on Mobile Computing
Abstract: Automated Fare Collection (AFC) systems have been globally deployed for decades, particularly in the public transportation network where the transit fee is calculated based on the length of the trip (a.k.a., distance-based pricing AFC systems). Although most messages of AFC systems are insecurely transferred in plaintext, system operators did not pay much attention to this vulnerability, since the AFC network is basically isolated from the public network (e.g., the Internet) - there is no way of exploiting such a vulnerability from the outside of the AFC network. Nevertheless, in recent years, the advent of Near Field Communication (NFC)-equipped smartphones has opened up a channel to invade into the AFC network from the mobile Internet, i.e., by Host-based Card Emulation (HCE) over NFC-equipped smartphones. In this paper, we identify a novel paradigm of attacks, called LessPay, against modern distance-based pricing AFC systems, enabling users to pay much less than what they are supposed to be charged. The identified attack has two important properties: 1) it is invisible to AFC system operators because the attack never causes any inconsistency in the back-end database of the operators; and 2) it can be scalable to affect a large number of users (e.g., 10,000) by only requiring a moderate-sized AFC card pool (e.g., containing 150 cards). To evaluate the efficacy of the attack, we developed an HCE app to launch the LessPay attack; and the real-world experiments demonstrate not only the feasibility of the LessPay attack (with 97.6 percent success rate) but also its low cost in terms of bandwidth and computation. Finally, we propose, implement and evaluate four types of countermeasures, and present security analysis and comparison of these countermeasures on defending against the LessPay attack.
URI: https://hdl.handle.net/10356/151320
ISSN: 1536-1233
DOI: 10.1109/TMC.2018.2853114
Rights: © 2018 IEEE. All rights reserved.
Fulltext Permission: none
Fulltext Availability: No Fulltext
Appears in Collections:SCSE Journal Articles

Page view(s)

40
Updated on Oct 17, 2021

Google ScholarTM

Check

Altmetric


Plumx

Items in DR-NTU are protected by copyright, with all rights reserved, unless otherwise indicated.