As contactless payment systems become increasingly integrated into everyday life, ensuring their security is more important than ever. Despite their convenience, RFID-based payment technologies may harbor vulnerabilities that can be exploited by attackers. This thesis presents a practical security assessment of Mifare Classic 1K tags, which are still widely used in legacy systems. Using the Proxmark3 device, a full tag cloning process was executed, enabling both double-spending and replay attacks, and exposing critical weaknesses in the proprietary CRYPTO1 cryptographic protocol. The analysis confirms that real-world attacks are not only feasible but also relatively accessible. Furthermore, the study demonstrates that even newer counterfeit-resistant mechanisms can be effectively bypassed. The thesis concludes by discussing possible countermeasures and design improvements to enhance the resilience of legacy RFID-based payment systems and better protect future deployments.
As contactless payment systems become increasingly integrated into everyday life, ensuring their security is more important than ever. Despite their convenience, RFID-based payment technologies may harbor vulnerabilities that can be exploited by attackers. This thesis presents a practical security assessment of Mifare Classic 1K tags, which are still widely used in legacy systems. Using the Proxmark3 device, a full tag cloning process was executed, enabling both double-spending and replay attacks, and exposing critical weaknesses in the proprietary CRYPTO1 cryptographic protocol. The analysis confirms that real-world attacks are not only feasible but also relatively accessible. Furthermore, the study demonstrates that even newer counterfeit-resistant mechanisms can be effectively bypassed. The thesis concludes by discussing possible countermeasures and design improvements to enhance the resilience of legacy RFID-based payment systems and better protect future deployments.
Security Assessment and Attack Techniques in RFID Payment Technologies
PADOAN, GIANCARLO
2024/2025
Abstract
As contactless payment systems become increasingly integrated into everyday life, ensuring their security is more important than ever. Despite their convenience, RFID-based payment technologies may harbor vulnerabilities that can be exploited by attackers. This thesis presents a practical security assessment of Mifare Classic 1K tags, which are still widely used in legacy systems. Using the Proxmark3 device, a full tag cloning process was executed, enabling both double-spending and replay attacks, and exposing critical weaknesses in the proprietary CRYPTO1 cryptographic protocol. The analysis confirms that real-world attacks are not only feasible but also relatively accessible. Furthermore, the study demonstrates that even newer counterfeit-resistant mechanisms can be effectively bypassed. The thesis concludes by discussing possible countermeasures and design improvements to enhance the resilience of legacy RFID-based payment systems and better protect future deployments.| File | Dimensione | Formato | |
|---|---|---|---|
|
Padoan_Giancarlo.pdf
embargo fino al 22/07/2026
Dimensione
27.49 MB
Formato
Adobe PDF
|
27.49 MB | Adobe PDF |
The text of this website © Università degli studi di Padova. Full Text are published under a non-exclusive license. Metadata are under a CC0 License
https://hdl.handle.net/20.500.12608/89365