How Extra Features In Contactless Payments Break Security, What We Can Do
Tom Chotia
DEF CON 33 · Day 1 · Main Stage
In this DEF CON talk, Tom Chotia from the University of Birmingham dives deep into the often-overlooked security implications of "extra features" added to the otherwise robust **EMV contactless payment protocols**. While the core EMV specification is remarkably secure and well-designed, the relentless drive by payment providers and tech companies to introduce new functionalities – such as transit modes, loyalty schemes, and phone-based authentication bypasses – has inadvertently created a fertile ground for novel and severe security vulnerabilities. Chotia argues that these ad-hoc additions, often developed in isolation and without public scrutiny or rigorous interoperability testing, fundamentally undermine the security guarantees of contactless payments.
AI review
Solid academic security research with real teeth: formal verification catching production vulnerabilities in Apple Pay and Square that actually got exploited in the wild. The bit-flipping relay attack against Apple Pay/Visa transit mode is genuinely elegant, and the ISO 1443 timing-check proposal shows a researcher who didn't stop at 'here's the problem.' Minor drag on novelty — relay attacks aren't new, and EMV research has a deep bibliography — but the application to proprietary extension creep and the formal modeling methodology elevate this above typical payment security rehash.