brief

63
Project Brief: An Investigation into the Vulnerabilities of Near Field Communication Contactless Transactions p Bournemouth University 1/1/2013 Massimo Salvato Final Year Dissertation

Upload: massimo-salvato

Post on 14-Apr-2017

77 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Brief

Project Brief: An Investigation into the Vulnerabilities of Near Field Communication Contactless Transactions

p

B o u r n e m o u t h U n i v e r s i t y

1 / 1 / 2 0 1 3

Massimo Salvato

Final Year Dissertation

Page 2: Brief

1

Table of Contents –

1. Revision History ............................................................................................................................................................................................ 2

2. Purpose .............................................................................................................................................................................................................. 2

3. Methodology ................................................................................................................................................................................................... 2

4. Derivation ........................................................................................................................................................................................................ 2

5. Quality Criteria ............................................................................................................................................................................................... 3

5.1. Tools ............................................................................................................................................................................................. 3

5.2. Quality Assurers .................................................................................................................................................................... 4

6. Project Definitions ...................................................................................................................................................................................... 4

6.1. Background ............................................................................................................................................................................... 4

6.2. Project Aims ............................................................................................................................................................................. 4

6.3. Ethics ............................................................................................................................................................................................ 4

7.Project Objectives ......................................................................................................................................................................................... 5

7.1 Desired Outcomes .................................................................................................................................................................. 7

7.2 Project Scope and Exclusions ......................................................................................................................................... 7

7.3 Constraints and Assumptions ......................................................................................................................................... 7

7.4 Project Tolerance ................................................................................................................................................................... 7

8. Project Product Description ................................................................................................................................................................. 8

9. SWOT Analysis ............................................................................................................................................................................................... 8

10. Project Approach ...................................................................................................................................................................................... 8

11. Project Change Control .......................................................................................................................................................................... 9

12. UK Legislation ............................................................................................................................................................................................. 9

13. Project Team Structure ......................................................................................................................................................................... 9

14. Work Breakdown Structure ............................................................................................................................................................ 10

15. Work Packages ........................................................................................................................................................................................ 11

Stage 1 – Write up Report........................................................................................................................................................ 11

Stage 2 – Background Research ........................................................................................................................................... 12

Stage 3 – Research ....................................................................................................................................................................... 13

Stage 4 – Experiment .................................................................................................................................................................. 14

Stage 5 – Report Creation ........................................................................................................................................................ 15

Stage 6 – Report and Artifact delivery ............................................................................................................................. 16

16. Project Planner Daily/Weekly Routine .................................................................................................................................... 17

17. Stakeholder Analysis ............................................................................................................................................................................ 50

18. Risk Analysis .............................................................................................................................................................................................. 51

19. Communication log ................................................................................................................................................................................ 52

20. Pilot Questionnaire design ............................................................................................................................................................... 56

21. Approvals ........................................................................................................................................................................................ 58

Page 3: Brief

2

1. Revision History

Revision Date Previous revision Date Summary of Changes 02/02/2012 First Draft (v1.0) 05/03/2012 Presentation (Ref A) 19/03/2012 Second Draft (v2.0)

Distribution:

This document has been distributed to

Christopher Richardson – Project Supervisor

2. Purpose

The purpose of this project is to assess and evaluate the current risks involved with the activity of Near Field Communication passive technology in-conjunction with the use of credit card details. As NFC technology advances towards playing a major part in everyday transactions the project will establish how safe the product is, along with how secure and if NFC is an asset or vulnerability in today’s digital world. It will define the background of the area in which the project is based to provide a better understanding of the subject area and will define the project objectives. A definition of the methodology to be used in the project will be provided, with an overview of any tailoring required. Finally, this document will provide a base for deriving other project documents, such as the Project Plan

and Product Descriptors.

3. Methodology

For the purposes of this investigation Checkland Soft Systems Methodology will be adopted as it

gives structure to complex organizational situations and allows the project to be dealt with in an

organized manner.

4. Derivation The project brief is derived from the following:-

The Bournemouth University Project Handbook University Lecture notes Discussions with Project Supervisor Discussion with Peers

Page 4: Brief

3

5. Quality Criteria

Throughout this project, it is important that criteria is defined which will ensure that the project is of a high quality and meets all objective and aims set out during the project brief. This can be done by ensuring that the project objectives that are laid out are Specific, Measurable, Achievable, Realistic, Timely, Evaluate, Red-do. As well as this, the requirements of what needs to be created and how these goals will be achieved are outlined and defined during the project brief. The approach to the project will maximise the chances of achieving the overall success of the project. It is important to have quality criteria to ensure that the project runs on time, within budget and produces the results that are required for it to succeed. The quality of the final project can be defined in terms of;

Content Accuracy Aesthetic look Usability

Quality Criteria Method of Measurement Tolerance Final report, legible, clear and easy to understand for all levels of technical knowledge

Peer review over 1 day Project supervisor over

1 day

2 days

The reports will be laid out in a logical manner and will be error checked

Spelling, grammar and structure checks

1 day

Final report will be bound to Bournemouth University Requirements

Visual check 2 days

The final project will be accurate in terms of facts, figures and references

Visual check over 1 day Peer review over 3 days

2 days

The project will come to 15,000 words

Word count +/-10%

All work will be regularly backed up

Backed up to dropbox Backed up on USB

+/- 1 day

Questionnaire form will be easy to complete

Question asked in actual questionnaire

N/a

Project Budget is £200 Budget/Reciepts +/- 10%

Project deadline is 3rd May Work reviews +/- 7 days

Table 1 – Quality Plan 5.1. Tools

MS Office MS Excel Viso Microsoft Project Manager Prince2 Google docs Dropbox Questionaire Package tbc Bubble.us (Mind Map) Creative Suite 6 Experiment equipment

Page 5: Brief

4

5.2. Quality Assurers

Project Supervisor - Christopher Richardson Product Assurer – Michael Jones, 2nd Supervisor Project Coordinator - Frank Milsom

6. Project Definitions

6.1. Background

Near Field Communication (NFC) is a newly-emerging technology that has been recently

incorporated into mobile devices. NFC builds upon the existing radio-frequency identification

(RFID) specification. NFC operates on the low-range 13.56 MHz frequency. The NFC specification

is unique from RFID in that two-way communication is now possible and even at data transfer

speeds of up to 424 kbit/s. Two NFC-enabled devices can communicate as long as the devices are

within range (about 4 centimetres). Instant access to information about products, service,

landmarks and even people is accessible through NFC. It is estimated that by 2014 around 20%

of phones worldwide will have NFC capabilities (Juniper). NFC mobile-payment applications are

currently in trials in the United States, Germany, Finland and the Netherlands. The trials are

investigating how mobile telephones can effectively be turned into your credit card by simply

touching your phone in the very close proximity of an NFC reader. The mobile phone is

associated with a bank or credit card Company just like it is associated with a phone-service

provider.

6.2. Project Aims

The primary aim of the project is to deliver a product investigating and the vulnerabilities

associated with the use of NFC in conjunction with bank transactions. The project aims to deliver

a clear insight into the operations of NFC and evaluate with solutions, and future

recommendations.

Secondary aims will include the following;

1. Maintaining an unbiased direction by interviewing criminals and law enforcement

agencies

2. Compare & Contrast EPOS systems.

3. Identify areas of benefits/weakness in NFC.

4. Estimate where future threats will rise from.

5. Identify solutions to vulnerabilities found.

In order to achieve project aims a series of objectives have been identified in section 7.3.

6.3 Ethics

Due to the nature of a project relating to my degree of Computer Forensics & Security it could

become apparent that ethical barriers may restrict the creation of some elements of research, for

this reason it is important the project be maintains credibility by appropriate approval through

an Research Ethics Clearance. This ensures ensure the working practices remain inside the

University procedures and Academic principles.

Page 6: Brief

5

7. Project Objectives

Project objectives and Key Performance Indicators have been established using the SMARTER

approach.

S.M.A.R.T.E.R Objectives

S Oversee the completion of the overall project consisting of the key areas required in the, PRINCE2 template

M The template will be completed relating each stage of the project from planning, project initiation to completion

A Produce an honours worthy final year project, by conforming to the higher tiers of the making scheme throughout all aspects of the project

R PRINCE2 template will aid this objective This will be achieved in milestone 1

T Project Planner will be created E Marking criteria and will be reviewed periodically before each section of

work is completed along with Peer reviews/Supervisor meeting R Completed work will be cross referenced to ensure the marking criterion

is met.

S Carry out initial research into the area to scope M Plan out the project - PRINCE2 template will aid this objective A Imitations, restrictions, risks and assumptions should be clearly set out R Literature, videos, websites, journals and forums T Will be completed by milestone 2 E Marking criteria and will be reviewed periodically before each section of

work is completed along with Peer reviews/Supervisor meeting R Completed work will be cross referenced to ensure the marking criterion

is met.

S Gain deep understanding into NFC Security M In depth research stage, comprising of literature research, interviews,

questionnaires and experiment A State of art will be completed by milestone 2 R Literature, videos, websites, journals and forums T Project Planner will be created E Marking criteria and will be reviewed periodically before each section of

work is completed along with Peer reviews/Supervisor meeting R Completed work will be cross referenced to ensure the marking criterion

is met.

S Create an experiment M that will establish the feasibility of a small scale attack on NFC electronic

payments A This will be carried out in milestone 4 R Equipment and software T Project Planner will be created E Marking criteria and will be reviewed periodically before each section of

work is completed along with Peer reviews/Supervisor meeting R Completed work will be cross referenced to ensure the marking criterion

is met.

Page 7: Brief

6

S Create and deliver a Final report that will highlight the findings from the research

M The report will highlight all important findings in the research and these A The report will be completed in milestone 5 R Findings will be used to complete an evaluation on the vulnerability state

on NFC contactless transactions T Project Planner will be created E Marking criteria and will be reviewed periodically before each section of

work is completed along with Peer reviews/Supervisor meeting R Completed work will be cross referenced to ensure the marking criterion

is met.

S Undertake a project defence that consists of a presentation to project marker and second marker

M present the project in full and all the findings from the research A The presentation needs to comply with the guidance set out by the Project

supervisor and Project Assurer R Presentation slides T This will be completed in milestone 6 E Marking criteria and will be reviewed periodically before each section of

work is completed along with Peer reviews/Supervisor meeting R Completed work will be cross referenced to ensure the marking criterion

is met.

1. Oversee the completion of the overall project consisting of the key areas required in the,

PRINCE2 template will aid this objective; the template will be completed relating each stage of

the project from planning, project initiation to completion. Produce an honours worthy final year

project, by conforming to the higher tiers of the making scheme throughout all aspects of the

project. This will be achieved in milestone 1. Marking criteria and will be reviewed periodically

before each section of work is started. Completed work will be cross referenced to ensure the

marking criterion is met.

2. Carry out initial research into the area to scope and plan out the project, to allow for clear

decisions to be made from the start and at every stage in the project. Imitations, restrictions,

risks and assumptions should be clearly set out. This will lay the foundations in preparation for

milestone 3 and will be achieved in milestone 2.

3. Gain deep understanding into NFC Security though in depth research stage, comprising of

literature research, interviews, questionnaires and experiment. State of art will be completed by

milestone 2.

4. Create an experiment that will establish the feasibility of a small scale attack on NFC electronic

payments. Results will be analysed in conjunction with milestone 3.

5. Create and deliver a Final report that will highlight the findings from the research. The report

will highlight all important findings in the research and these findings will be used to complete

an evaluation on the vulnerability state on NFC contactless transactions. The report will be

completed in milestone 5.

6. Undertake a project defence that consists of a presentation to project marker and second marker,

the presentation will present the project in full and all the findings from the research. The

Page 8: Brief

7

presentation needs to comply with the guidance set out by the Project supervisor and Project

Assurer. This will be completed in milestone 6.

7.1 Desired Outcomes

o Physical access to hardware and software to carry out experiment.

o Initiate and interview convicted criminals serving in HM Prison for related cybercrime

offences.

7.2. Project Scope and Exclusions

NFC has a variety of uses and applications however this project will primarily focus on the

operations of NFC within a banking transaction capacity. The process from where data is

transferred between sender and receiver; this is largely down to the belief that this is where the

concept is at its most vulnerable.

When conducting questionnaires and compiling research, 4 main areas will be targeted;

1. Police and Law Enforcement agencies.

2. Banking, including credit card companies.

3. NFC mobile telephone manufacturers.

4. Criminals.

7.3. Constraints and Assumptions

This project will respect worldwide computer ethics and comply with two UK Acts of Parliament

and follow ethical procedures. Primarily the Computer misuse act 1990 however any data

captured through the involvement of experiments must also comply with The data protection act

1998 and adequate measures must be carried out which ensure the protection of sensitive

information.

This project will be subject to a number of constraints which will affect the outcome of the report.

Points of contact may not feel comfortable releasing information which is considered sensitive or

detrimental. Law agencies may hold back information to prevent releasing methods of policing.

On the other side criminals may feel uncertain about any involvements the project may have with

the police.

Time is another constraint that this project will encounter; the deadline for the project is 3rd May

2013.

7.4. Project Tolerance

Tolerance Amount Hand-In date 1st May +/- 3 Days Budget of £200 +/- 10% Risk Project not completed on time

Project runs over budget Not enough subject area information Project does not meet quality criteria

Benefit New skills gained Insight into current ICT curriculum

Scope Broad overview of ICT from both teacher and student perspective

Page 9: Brief

8

Table 1: Project Tolerances

8. Project Product Description

The product will deliver a report on the passage of information from NFC devices, the report will

cover;

Introduction.

Background.

Users.

Fundamentals of NFC.

Laws surrounding concerned.

Policing.

Costs

Pros and Cons.

Experiments

Recommendations.

Conclusion.

9. SWOT Analysis

Strengths

NFC is becoming more and more popular.

Many sources are involved (Banks, Credit card companies, Mobile telephone companies, Police).

Many sources will gain value from research.

Weaknesses

Technology is rapidly changing.

Difficulty in accessing detailed information due to security.

Opportunities

Opens up vulnerabilities.

Reduces the amount of victims becoming prone to attack.

Awareness of the security state.

Alternative methods of payment.

Threats

Difficult to carry out experiments (funding/time/resources).

10. Project Approach

Primary research will be carried out through the use of university facilities; this will include

library, software, journals, books and internet sources. Notes will be taken in electronic format

along with a blog to assist the planning and review the stage the project is at.

Page 10: Brief

9

11. Project Change Control

Minor editing and modifications will be implemented and not require an agreement from project

mentor. Major directional changes and alteration will be discussed with project mentor to agree

on a suitable path.

12. UK Legislation

Computer misuse act

Data protection

Health and safety

13. Project Team Structure

Various people will have an involvement or contribution to the project, and they are summarised

in table 2.1 and documented as an organisational chart in Figure 1.

Role Name Role Description Executive Massimo Salvato Manage the project Project Supervisor Christopher Richardson To oversee the project Second Supervisor Michael Jones Additional support if necessary Quality Assurance Manager Christopher Richardson Manage the quality assurance

of the project Peer Reviews Project Class Recommendations Alterations Authority Massimo Salvato

Christopher Richardson Agree on major alterations to the project.

Table 2: Team Structure

Team Structure

Page 11: Brief

10

Executive

Project Supervisor

Quality Assurance Manager

Second Supervisor

Peer Reviews

Alterations Authority

Figure 1: Team Structure Diagram

14. Work Breakdown Structure

Page 12: Brief

11

Project Title : Near Field Communication Attacks on

Contactless Transaction

Write up Report

Stage 1Background

Research

Stage2Research

Stage 4Report Creation

Stage 5Report and Artefact

Delivery

Lit Review

Methodology

Create Risk Log

Create Timetable

Create Contact Log

Design

Conclusion

Results

References

Bibliography

Appendices

Reseach subject

Research Methods

Research

Design Testing

Results and Analysis

Compile Results

Finalise Products

Poster

Presentation

Final ReviewProject Closure

Work Breakdown Structure

Create Report

Interview / Questions

Stage 3Experiment

Source equipment

Set up experiment

Carry out Experiment

Figure 2: Work Breakdown Structure

Page 13: Brief

15. Work package

Write up report

Page 14: Brief

1

Background Research

Page 15: Brief

2

Research

Page 16: Brief

3

Experiment

Page 17: Brief

4

Report Creation

Page 18: Brief

5

Report and Artefact Delivery

Page 19: Brief

6

16. Project Planner

Daily Routine

Page 20: Brief

7

Page 21: Brief

Highlight Report Week 1

Page 22: Brief
Page 23: Brief

Highlight Report Week 2

Page 24: Brief
Page 25: Brief

Highlight Report Week 3

Page 26: Brief
Page 27: Brief

Highlight Report Week 4

Page 28: Brief
Page 29: Brief

Highlight Report Week 5

Page 30: Brief
Page 31: Brief

Highlight Report Week 6

Page 32: Brief
Page 33: Brief

Highlight Report Week 7

Page 34: Brief
Page 35: Brief

Highlight Report Week 8

Page 36: Brief
Page 37: Brief

Highlight Report Week 9

Page 38: Brief
Page 39: Brief

Highlight Report Week 10

Page 40: Brief
Page 41: Brief

Highlight Report Week 11

Page 42: Brief
Page 43: Brief

Highlight Report Week 12

Page 44: Brief
Page 45: Brief

Highlight Report Week 13

Page 46: Brief
Page 47: Brief

Highlight Report Week 14

Page 48: Brief
Page 49: Brief

Highlight Report Week 15

Page 50: Brief
Page 51: Brief

Highlight Report Week 16

Page 52: Brief

a. Milestones

Project Commence 23/01/2013

Research

Mid Project review

Report Creation

Hand in 03/05/2013

Presentation 16/05/2013

b. Milestone table

c. Gant Chart

Page 53: Brief

1

17. Stakeholder Analysis

Stakeholder Their interest or requirement from the project

What the project needs from them Perceived attitudes and / or risks Actions to take

Massimo Salvato

Executive Project Manager N/A

Credit Card Company

Question Information regarding credit cards involvement. Procedures, policies and NFC registration process.

Police Question Current views on NFC crime. Statistics. Helpful Limitations of Information Varied levels of authority

may perceive the problem differently.

E Crime Unit Questions Policing strategies for NFC crime. Figures and Facts

Helpful Limitations of Information

Serving Criminals

Questions Previous methods of similar crime - background

Difficult Revealing Slow process

Mobile phone Company

Questions Explanation into operations of NFC

Contactless Payment Machines

Questions Product information

Frank Milsom Project Assurance Provided assurance that the work is in the correct format and met expectations.

Christopher Richardson

Executor Ensure the project is on track and project manager is keeping timescale.

Michael Jones Second Marker Ensure the project is worthy of the mark given by the Project supervisor

Page 54: Brief

2

18. Risk Analysis

Nature of Risk or Uncertainty

Likelihood 5-1

High - Low

Impact 5-1

High – Low

Score Likelihood

x Impact

Actions required and who will take responsibility to manage the risk

Lack of response 2 5 10 Access other points of contacts MS

Slow response times

3 4 12 Access other point of contact – have a wide pool of contacts MS

Change in direction of project

2 2 4 Seek advice from project supervisor MS

Project deadline is not met

2 5 10 Project will fail / Seek advice from course administrator MS

Software/Hardware failure – lost documents

1 2 2 Locate previous cloud back up – recommence from previous back up MS

Backup fails 2 4 8 Recommence from last save point MS

Project manager is absent

1 3 3 Contact through email – catch up at next meeting MS

Change of project manager

1 3 3 Explain project an direction to new manager. MS

Internet goes down 1 2 2 Recommence work when reconnected, locate alternative sources MS

Personal Family emergency

2 5 10 Seek advice from University services – postpone hand in date MS

Other emergency work commitments

1 3 3 Catch up at earliest available point MS

Laptop/USB stolen or lost

1 4 4 Save back up in 3 various locations weekly. MS

Page 55: Brief

3

19. Communications Log

Date Contact Method

From To Reason Company/Office Outcome

29/01/2012 Supervisor meeting /Peer Review

MS CR/ Peer Review Weekly update

Bournemouth University

5/02/2012 Supervisor meeting /Peer Review

MS CR/ Peer Review Weekly update

Bournemouth University

Project Brief Project Aims Project Objectives

11/02/2012 Supervisor meeting /Peer Review

MS CR/ Peer Review Weekly update

Bournemouth University

Critiques

14/02/2012 Email /Serialio.com

MS [email protected]

Research products for experiment including (ACR122U)

Serialio.com Techinal Dept

16/02/2012 Supervisor meeting /Peer Review

MS CR/ Peer Review Weekly update

Bournemouth University

Methodology Project Questionnaire Lit Review State-of-Art

25/02/2012 Email MS Karsten Nohl - [email protected]

further information related area of study

University of Virginia

25/02/2012 Email MS [email protected]

Enquiring about procedures for interviewing prisoners

Southwark crown court

Page 56: Brief

4

26/02/2012 Email MS [email protected]

Further information regarding RFID secure wallets/products

Identity Stronghold

26/02/2012 Supervisor meeting /Peer Review

MS CR/ Peer Review

Weekly update

Bournemouth University

Methodology Lit Review

02/03/2012 Email MS [email protected]

Project advice

Mandy Scullion Project information

05/03/2012 Supervisor meeting /Peer Review

MS CR/ Peer Review

Project Presentation

Bournemouth University

Presentation(ref) Project performance Presentations

11/03/2013 Email /Kristen Paget

MS [email protected]

Further information on NFC

Recursion.com / (Core OS Security Researcher at Apple

12/03/2013 Supervisor meeting /Peer Review

MS CR/ Peer Review

Weekly update

Bournemouth University

12/03/2013 Email MS https://viaforensics.com/contact-us/

Information regarding NFC interception device for experiment

ViaForensics

14/03/2013 Phone MS http://www.ul-ts.com/ 0131 225 9500

Information on products- Aspect Spy Test Tool

UL Hardware/Software £25/30k

18/03/2013 Email MS [email protected]

Subject librarian – sourcing relevant literature

Bournemouth University

Page 57: Brief

5

26/03/2013 Supervisor meeting /Peer Review

MS CR/ Peer Review

Weekly update

Bournemouth University

05/04/2013 Email MS [email protected]

Further research

Newcastle University

08/04/2013 Email MS [email protected]

Enquires about published guide – Further research on security related topics

Advised to refer to Ernst Haselsteiner Sent Ernst Haselsteiner literature

09/04/2012 Supervisor meeting /Peer Review

MS CR/ Peer Review

Weekly update

Bournemouth University

Need to analyse section of the report, Modify report and adjust brief

02/05/2013 Supervisor meeting /Peer Review

MS CR/ Peer Review

Weekly update

Bournemouth University

Threat Analysis Questionnaire Complete State of Art

09/05/2013 Supervisor meeting /Peer Review

MS CR/ Peer Review

Weekly update

Bournemouth University

Strengthen Artefact

14/05/2013 MS CR/ Peer Review

Weekly update

Bournemouth University

Project Layout

21/05/2013 MS CR/ Peer Review

Weekly update

Bournemouth University

Page 58: Brief

6

28/05/2013 ACR Cards

MS Software advice On-going communication

04/06/2013 CR/ Peer Review

MS Bournemouth University

Bournemouth University

05/06/2013 Matt Cheetham MS Costa Coffie NFC Advice on hardware Locations of ardunio board Hack Bournemouth help

Table 3: Communications Log

Page 59: Brief

7

20. Pilot Questionnaire V1

This questionnaire is set at a variety of professions; the questionnaires were set at a low number to maintain interest in the questionnaire.

Users Questionnaire

Test No.

Design Criteria Performance Criteria Question Result as Expected

Comment

01 The question is used to establish the age band

There will be a complete variation of ages.

Please state your age in the bands below?

02 The question is used to establish preferred methods of transactions

It is expected the older generation (50+) will not be as comfortable with EPOS systems

Which method of payment do you prefer to use?

03 Used to analyse the most popular EPOS transaction.

Credit card payment is expected to be the highest

Which EPOS method of payment do you use most often (list them)

04 The question is used to determine the users knowledge of current EPOS systems

It is estimated that credit card and chip and pin are the most popular.

Please tick which EPOS systems you are familiar with you; +Credit Card Chip and Pin +Paypal +Google wallet +NFC +Contactless

05 Follow on question is used to analyse the amount of users which feel safe using their method of payment.

Do you feel the method of payment was secure?

06 The question is used to gauge the test populations understanding of NFC payments

It is expected less than 50% will understand

Do you understand the basics of NFC?

07 The question is used to establish the population of users which would like to take advantage of current technology.

It is estimated that most young people would like this technology.

Would you like to use your mobile to swipe and pay for items if it was available?

08 The question is arranged not to alert the reader to any suspicious activity however gaining an understanding of how safe the users think NFC is.

It is estimated that most people will not be very concerned about security unless they have been a victim of fraud before.

If yes to Q3, on a degree of 1-10 were you concerned about paying for things using your telephone?

09 The question is used to establish how Most people will not have been a victims Have you ever been a victim of

Page 60: Brief

8

many users have become victims to fraud

fraud?

10 The question is used to analysis which category tends to pay the price for the fraud.

If yes which party paid the price of the loss?

11 This question is designed to asses which method of payment the current population believe to be the safest and if new NFC payments are considered more secure than previous methods.

Most people will say credit card. What do you consider to be the safest method of payment?

Merchant Questionnaire

Test No.

Design Criteria Performance Criteria Question Result as Expected

Comment

01 The question is used to establish the level of authority the interviewee has in the business.

Low/mid-level employees. Please state your current position?

02 The question is used to establish how many merchants have become victims to EPOS fraud.

This figure is estimated to be low. Has your business ever become victim to payment fraud?

03 The question is used to analysis who pays for the fraud

Primarily, victims will pay the price. If yes, which party paid the price of the loss? +Insurance +Bank +Victim

04 The question is used to assess how many merchants feel comfortable with the change to NFC.

Most vendors will likely keep old machines as it is expensive to replace and may cause disruption to business.

How would you feel about implementing NFC mobile telephone swipe transactions in your business? 1-10 (neg-pos)

Page 61: Brief

9

Police Questionnaire

Test No. Design Criteria Performance Criteria

Question Result as Expected

Comment

01 This question is used to confirm the questionnaire has reached a department relating to the survey.

Can you please clarify which section and police department you work for?

02 This question is used establish which area of fraud is more common within this police department.

What is the most common type payment transaction you deal with?

03 The question is used to analysis who pays for the fraud from a police officer’s view.

Who generally pays for the loss due to transaction fraud; Victim Bank

04 This question is designed to assess the views of someone who deals with this problem on a regular basis.

Do you consider NFC mobile transactions to safer than the current chip and pin transaction?

05 This question is used to establish If the unit deems NFC to be one of the directions.

It is estimated that NFC will be rated as highly.

What direction is the transaction fraud trend heading in this Police unit?

06 This question is designed to assess the views of someone who deals with this problem on a regular basis.

It is estimated yes will be the answer

Do you believe NFC mobile transaction fraud will replace credit card fraud?

07 This value is estimated to be very low

What is the conviction rate for credit card fraudsters?

08 This question is used to give more indication why it is hard/easy to catch fraudsters.

This is expected to Can you please summarise in a few sentences why the conviction rate is high/low?

Page 62: Brief

10

21. Pilot Questionare V2

Ref

No.

Design Criteria Performance Criteria Design Specification Results/

Conclusion

Comments

01 This question was an easy to answer introductory question aimed at assessing any relationship with age.

There will be more younger people familiar with the technology and willing to use new technology

Please state your age in the bands below?

See page x See page x

02 This question will analyse if there is any relation to the working sector which may influence their decision on NFC security.

More people working the IT sectors will be familiar with security and the concept of NFC.

Which sector(s) best suits you?

03 Designed to analyse which payment method people prefer to use.

It is expected that most people will opt for either cash or chip and PIN as it is the most widely available.

Which payment system do you prefer to use?

04 This questions is used to gauge the interest people have should their be more access to POS terminals

If the technology was available people would use the system more.

If the technology was more readily available would you like to replace your credit/debit card with a mobile to make payments in shops?

05 This is used to analyse the future perception of NFC contactless transactions

It is estimated that people are a little bit unsure about the future technology as they are not fully aware of its capabilities.

Do you believe NFC contactless mobile payments have a place in the future of electronic payment transactions?

06 Analysing people’s perception on contactless card payment security.

Estimated that people do not fully understand the security vulnerabilities

Do you feel CONTACTLESS credit/debit card payments are secure?

07 Analysing people’s perception on new mobile payment contactless card security.

It is estimated that the majority of people think it is secure

Do you feel contactless MOBILE PHONE payments are secure?

08 Analysing where the majority of people perceive to be a vulnerable point.

It is estimated that the phone is constantly vulnerable will be the top answer.

If you disagreed with the above question, which point in the transaction process do you believe is most vulnerable?

Page 63: Brief

11

09 Analysing what information the majority see as information which can be exposed.

Estmated that credit card details are the most common data which can be stolen.

(If you disagree with Q6) What information/data do you think could be stolen from contactless mobile payment?

10 Direct gaugine used to asses if people understand the distances involved in a potential attack.

If people are aware of the technology they will put 10cm or don’t know.

Close proximity payments operate at a maximum distance of 10cm?

11 Direct yes or no analysing the amount of questionees who have been victim to fraud may impact their answers

Estimated that by an overwhelming result no victims of fraud.

Have you ever been a victim of credit/debit card fraud?

12 This is used to asses is people are content with the new contactless technology.

Estimated that people are happy to gradually try new technology.

Do you feel happy about making payments through Near Field Communication?

13 Used to analyse the awareness of any threats.

Majority no. Are you aware of any Near Field Communication attacks?

14 Finally, this is used to analyse who is thought to be responsible for the security

It will be considered that the majority will go for a combined effort.

Who would you consider responsible for maintaining the security of mobile payments?

22. Approvals

Prepared By : Massimo Salvato

This document requires the following Approval

Approved By : Christopher Richardson

Project Supervisor, Bournemouth University