Europay MasterCard and Visa (EMV) is the most popular payment protocol with almost 7.1 billion EMV based credit and debit cards around the world. This payment protocol supports different kinds of payment transactions such as Chip & PIN, Chip & signature, contactless card, and mobile payment transactions. This paper focuses on the EMV contactless card transactions and highlights one of such transactions’ vulnerabilities that allows attackers to gain access to most of the EMV card sensitive information using off-the-shelf hardware and software. In the EMV card payment protocol, the EMV card must authenticate itself as a genuine card to the point of Sale (POS) in each transaction while the reverse is not happening. An attacker can take an advantage of such vulnerabilities in the EMV specifications especially in contactless cards due to the wireless connectivity between the cards and POSs. In this paper, we propose a cost-effective mutual-authentication solution that relies on two-way challenge-response between EMV contactless cards and POSs in order to prevent sniffing attacks launched by NFC enabled readers or smartphones. To demonstrate the viability of the proposed authentication protocol, we present a Java framework to illustrate the practicality of the proposed solution. The paper argues that the proposed protocol can be easily integrated into the EMV infrastructure with minor changes at the personalization and transaction phases.

Europay万事达卡和Visa卡（EMV）是最受欢迎的支付协议，在全球范围内有近71亿张基于EMV的信用卡和借记卡。该支付协议支持各种支付交易，例如芯片和PIN码，芯片和签名，非接触式卡以及移动支付交易。本文重点介绍了EMV非接触式卡交易，并重点介绍了此类交易的漏洞之一，攻击者可以使用现成的硬件和软件来访问大多数EMV卡敏感信息。在EMV卡付款协议中，EMV卡必须在每笔交易中将自己验证为真正的卡到销售点（POS），而不会发生相反的情况。由于卡和POS之间的无线连接，攻击者可以利用EMV规范中的此类漏洞，尤其是非接触式卡。在本文中，我们提出了一种经济高效的双向身份验证解决方案，该解决方案依赖于EMV非接触卡和POS之间的双向质询响应，以防止启用NFC的读取器或智能手机发起的嗅探攻击。为了证明所提出的认证协议的可行性，我们提出了一个Java框架来说明所提出的解决方案的实用性。该论文认为，所提议的协议可以轻松地集成到EMV基础架构中，而在个性化和交易阶段只需稍作更改即可。我们提出了一种经济高效的双向身份验证解决方案，该解决方案依赖于EMV非接触式卡和POS之间的双向质询响应，以防止启用NFC的读取器或智能手机发起的嗅探攻击。为了证明所提出的认证协议的可行性，我们提出了一个Java框架来说明所提出的解决方案的实用性。该论文认为，所提议的协议可以轻松地集成到EMV基础架构中，而在个性化和交易阶段只需稍作更改即可。我们提出了一种经济高效的双向身份验证解决方案，该解决方案依赖于EMV非接触式卡和POS之间的双向质询响应，以防止启用NFC的读取器或智能手机发起的嗅探攻击。为了证明所提出的认证协议的可行性，我们提出了一个Java框架来说明所提出的解决方案的实用性。该论文认为，所提议的协议可以轻松地集成到EMV基础架构中，而在个性化和交易阶段只需稍作更改即可。