Mobile Payment Fraud: A Practical View on the Technical Architecture and Starting Points for Forensic Analysis of New Attack Scenarios

As payment cards and mobile devices are equipped with Near Field Communication (NFC) technology, electronic payment transactions at physical Point of Sale (POS) environments are changing. Payment transactions do not require the customerto insert their card into a slot of the payment terminal. The customer is able to simply swipe the payment card or mobilephone in front of a dedicated zone of the terminal to initiate a payment transaction. Secure Elements (SEs) in mobile phonesand payment cards with NFC should keep sensitive application data in a save place to protect it from abuse by attackers.Although hardware and the operating system of such a chip has to go through an intensive process of security testing, thecurrent integration of such a chip in mobile phones easily allows attackers to access the information stored. In the followingpaper we present the implementation of two different proof-of-concept attacks. Out of the analysis of the attack scenarios, wepropose various starting points for the forensic analysis in order to detect such fraudulent transactions. The presented conceptshould lead to fewer fraudulent transactions as well as protected evidence in case of fraud.