Practical EMV Relay Protection

Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu and Liqun Chen

This work will be published at the 2022 IEEE Symposium on Security and Privacy

Download paper

Source Code

We make available all artifacts for our research. Below is a brief description of the repositories. Please see each repo’s for more details details.

Tamarin Models – contains the formal models for verifying the L1RP protocol described in the paper, as well as the models for the mobile versions of Visa/Mastercard.

L1RP implementation – source code for Proxmark firmware and client which implements our new proposed protocol, L1RP, via two extra commands (hf 14a noncerdr and hf 14a noncesim).

Timing Data – contains the raw data and processing scripts for the Level 1 and Level 3 timings discussed in the paper.


NFCProxy – the starting-point for our relay-based Android Apps were the CardEmulator app and the TerminalEmulator apps in [1], which are in turn based on code from [2].

NFCProxy_uid – our modified Android Apps, for performing our attack against Visa’s relay-protection protocol.

Proxmark transport firmware – source code for Proxmark firmware and client, which contains an extra command hf 14a tfl acting as a Transport for London barriers reader.

RRP Relay – implements the replay of APDUs to a Mastercard RRP test card.

Servers – folder containing all the python scripts needed to run the different servers for our relay apps.

Traces – proxmark traces obtained from our relays (et = express transit; no CDCVM).

[1] Ioana Boureanu, Tom Chothia, Alexandre Debant, Stephanie Delaune, “Security Analysis and Implementation of Relay-Resistant Contactless Payments”, at the 27th ACM Conference on Computer and Communications Security (ACM CCS), 2020.

[2] Tom Chothia et al. “Relay cost bounding for contactless EMV payments.” International Conference on Financial Cryptography and Data Security. Springer, Berlin, Heidelberg, 2015.