PRICING DATA TAMPERING IN

AUTOMATED FARE COLLECTION

Guide : R. SUDHAKAR
. S.RESHMA SUPRIYA (732117104057)
R.VINOTHINI (732117104086)
D.PAVITHRA (732117104049)
M.THENMOZHI (732117104079)
 INTRODUCTION
• Computerized fare collection (AFC) frameworks have been around the world
conveyed for quite a long time to robotize manual tagging and charging
frameworks, especially in open transportation organizations.

• As travel courses in present day urban areas are generally very long, the greater
part of the present AFC frameworks receive a separation based valuing
methodology

• It is composed into the card, which will be utilized to produce a dynamic meeting
key, SK; Shockingly, the wide range of various information (e.G., The passageway
or leave data utilized for figuring the outing toll) .
 ABSTRACT
• Automated Fare Collection (AFC) systems have been globally deployed
for decades, particularly in the public transportation network where the
transit fee is calculated based on the length of the trip (a.k.a., distance-
based pricing AFC systems)
• Nevertheless, in recent years, the advent of Near Field Communication
(NFC)-equipped smart phones has opened up a channel to invade into the
AFC network from the mobile Internet, i.e., by Host-based Card Emulation
(HCE) over NFC-equipped smart phones.
 EXISTING SYSTEM
• Attackers have been trying to implement a relay attack
using various approaches.
• Initially, researchers built specific hardware to relay
the communication between a smart card and a
terminal.
• Some used a self-built hardware to increase the distance
up to 50m.
Cont.,
• They also deeply reviewed relay attacks, discussing relay
resistant mechanisms.
• With the development of NFC, recent works have focused on
relay attacks using mobile phones.
• Nokia 6131 was the first phone ever produced with NFC
capability. Revealing the possibility to perform a relay attack
using COTS devices
 DRAWBACKS
• The nfc-ese based card also slows down.
• In the load command case, it takes more time
than less pay.
• We believe this is caused by the low
performance of java card.
• But by doing so, the legitimate nfc-ese
solution is also banned.
 PROPOSED SYSTEM
• We create and assess an information concealing strategy that

empowers cell phones to scramble and insert touchy data into

transporter floods of information.

• Our assessment considers various handsets and an assortment of

information types.

• we show that our strategy has a computational cost that permits

constant information stowing away on cell phones with

insignificant twisting of the transporter stream.

 ADVANTAGES
• The process that the card authenticates the terminal
is almost increased as the authentication step in the
entrance protocol.
• Exact results can be obtained as the emulated d card
should have a corresponding physical AFC card in the
cloud-side card pool
• The cumulative distribution function (CDF) of
network traffic consumed is low and output is very
high
 Literature Review
• Large scale invisible attack on AFC systems
with NFC-equipped smartphones.
• On the security of 2-key triple des.
• Dispelling the myths: the reality about
contactless security.
• Sleep hunter: towards fine grained sleep stage
tracking with smartphones.
 Large scale invisible attack on AFC
systems with NFC-equipped smartphones.

Our constructed attack has two important properties:

1) it is invisible to AFC system operators because the
attack never causes any inconsistency in the backend
database of the operators
2) it can be scalable to large number of users{e.g.,
10,000) by maintaining a moderate-sized AFC card pool
{e.g., containing 150 cards). Based upon this
constructed attack, we developed an HCE app, named
LessPay.
Cont.,
• Our real-world experiments on LessPay demonstrate not only
the feasibility of our attack (with 97.6% success rate), but
also its low-overhead in terms of bandwidth and
computation.Among these systems
• Fan Dang, Pengfei Zhou et al., has proposed in this
paperAutomated Fare Collection (AFC) systems have
been globally deployed for decades, particularly in
public transporta- tion
 On the security of 2-key triple des
• Chris J. Mitchell et al., has proposed in this paper
reconsiders the security offered by 2- key triple DES.
• . We give further attack enhancements that together imply that
the widely used estimate that 2-key triple DES provides 80
bits of security can no longer be regarded as conservative.
• Finally we also observe that the observations in Section VII
cast very serious doubt on the future viability of the ANSI
retail MAC when used with DES
 Dispelling the myths: the reality about
contactless security
• Ryan Erenhouse et al. has proposed in this paper For
many people, paying with a card is still associated with a
“swipe” or a “dip”.
• The cards and devices contain an embedded chip and a radio
frequency (RFID) antenna that provide a wireless link with the
contactless reader. 
• .It would be extremely difficult for a fraudster to copy the
advanced encryption technology that is used to generate this
dynamic number and create a functioning counterfeit version
of a contactless card.
 Sleep hunter: towards fine grained sleep stage tracking with
smartphones.

• WeixiGu, LongfeiShangguan, Zheng Yang et al., has proposed

in this paperSleep quality plays a vital role in personal health.
Architecture Diagram.
 Obtaining data structure

Tampering Automated Collecting

data fare data
enterance collection enterance

Secret key Tampering

the data

Original data
 MODULES
• Data pre-processing
• Tampering Entrance Data
• Obtaining station information
• Relay Attack on AFC Card
 MODULE DESCRIPTION

DATA PRE-PROCESSING

• In this module data pre processing module helps to

describes dataset processing performed on raw
data to prepare it for another processing procedure.

• The preliminary data preprocessing transforms the

data into a format that will be more easily and
effectively processed for the purpose of the user.
TAMPERING ENTRANCE DATA
• We need to know two important pieces of
information
1) the data structure of entrance data,

• 2) the station data, e.g., GPS latitude and longitude coordinates.

In this section, we describe a collection of approaches to infer

the above information
 Obtaining station information
• Rather than collecting station data by visiting each station (seems

impossible), we found a third-party application called E-Card Tapper .

• which is able to parse the transaction histories as well as the trip records

and details.

• Driven by this finding, we reversed this application using Apktool and

dumped the station data from the inner SQLite database.

• E-Card Tapper in order to extract its stored station information, such as

the station identifier.

 Relay Attack on AFC Card
• It is impossible to emulate an AFC card with debit support.
• In other words, the challenge in this phase is how we can get a
transaction key TK for our emulated card to make it pass the
mutual authentication.
• We use the physical card equipped with TK to bypass this
security check.
• In other words, in Less Pay, the emulated card should have a
corresponding physical AFC card in the cloud-side card pool.
 Conclusion
• The present AFC frameworks have been universally embraced
and billions of AFC cards have been given everywhere on the
world.
• We have built up a HCE application, named LessPay, in light
of our proposed and announced assault.
• Assessed the LessPay application through certifiable analyses.
• We actualize, convey and assess these countermeasures, and
furthermore give the examination of these methodologies.
 REFERENCE
• “E-card tapper,”
http://www.wandoujia.com/apps/com.siodata.uplink, [Online;
accessed on July 20, 2016].
• C. J. Mitchell, “On the security of 2-key triple DES,” IEEE
Trans. Information Theory, vol. 62, no. 11, pp. 6260–6267,
2016.
• “MasterCard Contactless,”
http://www.mastercard.com/contactless/, [Online; accessed on
July 21, 2016].
• W. Gu, L. Shangguan, Z. Yang, and Y. Liu, “Sleep hunter:
Towards fine grained sleep stage tracking with smartphones,”
IEEE Transactions on Mobile Computing, vol. 15, no. 6, pp.
1514–1527, June 2016
Cont.,
• M. Roland, J. Langer, and J. Scharinger, “Applying relay
attacks to google wallet,” in Proceedings of the 5th
International Workshop on Near Field Communication (NFC),
Feb 2013, pp. 1–6.
• D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y.
Yang, “Highspeed high-security signatures,” Journal of
Cryptographic Engineering, vol. 2, no. 2, pp. 77–89, Sep 2012.
THANK
YOU