Bypassing EMV Contactless Limits with Relay and Replay Attacks

TLDR: Recent research presented at DEF CON 2025 exposes critical flaws in EMV contactless payment protocols, specifically regarding how offline transaction modes handle authentication. By exploiting vendor-specific extensions that lack robust cryptographic checks, attackers can perform relay and replay attacks to bypass transaction limits. Pentesters should focus on identifying these non-standardized implementations in payment terminals to demonstrate the risk of unauthorized high-value transactions.

Contactless payment security is often treated as a solved problem, but the reality is that the underlying EMV protocols are a patchwork of specifications and vendor-specific implementations. When you tap your card or phone against a terminal, you are relying on a complex handshake that assumes the terminal and the card are both acting in good faith. This assumption falls apart when you look at how offline transaction modes are implemented. The research presented at DEF CON 2025 highlights that these offline modes are frequently vulnerable to relay and replay attacks because they lack the rigorous, real-time cryptographic verification required for high-value transactions.

The Mechanics of the Relay Attack

At the core of this vulnerability is the way payment terminals handle the "card type" identification and the subsequent transaction initiation. When a card is presented, the reader asks, "What kind of card are you?" The card responds with its capabilities, and the reader then decides which protocol to initiate. The researchers demonstrated that by using a Proxmark3, an attacker can intercept this initial exchange and manipulate the data flow.

The attack flow is essentially an adversary-in-the-middle scenario. The attacker uses two devices: one near the victim's card and one near the target payment terminal. The terminal believes it is communicating directly with a legitimate card, while the victim's card believes it is communicating with a legitimate terminal. Because the EMV specification for offline transactions often relies on a shared secret or a static cryptographic key that is not properly rotated or validated against a backend server in real-time, the attacker can replay valid transaction data or relay the authentication request to a different terminal entirely.

Why Vendor-Specific Extensions Fail

The EMV specification is massive, and vendors often implement their own "optimizations" to speed up transaction times. These extensions are where the security breaks down. The researchers found that many terminals implement a "transit transport mode" to allow for rapid entry at subway turnstiles. This mode is designed to be fast, which means it often skips the standard OWASP A07:2021-Identification and Authentication Failures checks that would normally prevent a relay attack.

In these transit modes, the terminal does not perform a full online authorization. Instead, it relies on a local, simplified check. By using Tamarin to model these protocols, the researchers were able to prove that these vendor-specific extensions introduce a state where the terminal accepts a transaction without verifying the cryptographic signature of the card in a way that prevents replay. The terminal essentially says, "I see a valid-looking card, I will process the payment," without confirming that the payment request is unique and not a replayed packet from a previous, legitimate interaction.

Real-World Implications for Pentesters

For those of us conducting physical security assessments or retail penetration tests, this is a goldmine. If you are testing a payment terminal, you should not just look for standard network-level vulnerabilities. You need to test the NFC interface. If a terminal supports high-value transactions without requiring a PIN or biometric verification, it is likely relying on these flawed offline modes.

During an engagement, you can use a Proxmark3 to capture the transaction flow. If you can successfully replay a transaction or relay it to a different device, you have demonstrated a critical failure in the terminal's authentication logic. The impact is clear: an attacker could potentially drain funds from a victim's card or phone without ever needing physical access to the device, provided they can get close enough to the victim's wallet or pocket.

Defensive Considerations

Defending against these attacks is difficult because the flaw is often baked into the hardware and the proprietary firmware of the payment terminal. However, the most effective mitigation is to enforce online-only transaction processing for any amount above a very low threshold. If a terminal must support offline transactions, it should implement strict, time-bound, and unique transaction identifiers that are cryptographically signed by the card and verified by the terminal using a secure element.

Furthermore, the industry needs to move away from these non-standardized, vendor-specific extensions. If a feature like "transit mode" is necessary, it must be subjected to the same level of security scrutiny as a standard point-of-sale transaction. Relying on "security by obscurity" for these extensions is exactly what allowed these vulnerabilities to persist for so long.

The research serves as a stark reminder that convenience often comes at the expense of security. As we continue to see the adoption of mobile wallets and contactless payments, the pressure to make transactions faster will only increase. It is our job as researchers to ensure that this speed does not come at the cost of the integrity of the entire payment ecosystem. If you have access to payment hardware, start by looking at how it handles these offline modes. You might be surprised at how easily you can bypass the supposed protections that keep our money safe.