This application discloses an invention that is related, generally and in various embodiments, to a device, system and method for reducing and interaction time for a contactless transaction.
Contactless and wireless communication technologies have become more widespread in recent years. In the payment industry, contactless payments has a number of advantages over both traditional magnetic stripe technologies and contact-based chip payment protocols. For example, traditional payment contact cards are known to operate relatively slowly, and magnetic stripe cards are known to not be sufficiently secure. Each of these technologies further requires a slot in a terminal reader that must be maintained by a merchant.
Contactless payment does not require a slot in which to enter the card. The consumer retains control over the card and merely positions the card near the terminal reader whenever necessary. The traditional specifications adopted by the payment industry for contact-based chip payment generally require the consumer to position the card near the terminal reader at different times and/or for extended periods of time in order to complete a transaction. With both merchants and consumers desiring fast transaction times, contactless transactions executed in accordance with the traditional specifications fail to meet market requirements.
Merchants and consumers are also demanding the contactless transactions be more secure. Although more recently issued contactless magnetic stripe-based cards can be more secure than traditional magnetic stripe cards, such contactless magnetic stripe-based cards are typically designed only for online transactions. For contactless offline transactions executed in accordance with the traditional specifications, the transactions can be susceptible to various offline “man in the middle” types of attacks generally referred to as sleeve attacks, Trojan horse attacks, etc.
In one type of sleeve attack, a device intercepts data transmitted wirelessly from a card reader that is intended for a contactless card. The device alters the data and subsequently transmits the altered data to the card. Instead of receiving the data transmitted by the card reader, the card receives the altered data transmitted by the device. The card subsequently processes the altered data and transmits a message related to the altered data to the card reader. The card reader subsequently grants approval of the transaction based on information present in the message transmitted by the card. In another type of sleeve attack, a device intercepts data transmitted wirelessly from the card that is intended for the card reader. The device alters the data and subsequently transmits the altered data to the card reader. Instead of receiving the data transmitted by the card, the card reader receives the altered data transmitted by the device. The card reader subsequently processes the altered data and grants approval of the transaction based on information present in the altered data transmitted by the device. In other types of sleeve attacks, the device may cause a denial of service by not forwarding intercepted data to the card or the card reader.
In one type of Trojan horse attack, malicious software embedded in the card alters valid data prior to information being sent to the card reader. The card reader ultimately grants approval of the transaction based on the altered data. In another type of Trojan horse attack, malicious software embedded in the card reader alters valid data prior to the authorization process. The card reader ultimately grants approval of the transaction based on the altered data.
For a given offline transaction, a “man in the middle” attack may be utilized to reduce the amount of the transaction as ultimately recognized by the card and the card reader. For example, for a given offline transaction involving the purchase of goods from a merchant, the card reader may wirelessly transmit data intended for the card which indicates that the value of the transaction is equal to $15. However, prior to the data being received by the card, the device intercepts the data and alters the data so that the altered data indicates that the value of the transaction is equal to only $1. Upon receiving the approval, the merchant releases the goods with the belief that the approved transaction amount was equal to $15. The difference between the actual transaction amount and the reduced transaction amount may affect the amount ultimately received by the merchant from a card issuer.