Olympic NFC: mobile attackers to go for gold?
Mobile security expert Jimmy Shah debates whether Visas NFC payment test this month will highlight the risks or rewards surrounding the technology
Mobile security expert Jimmy Shah debates whether Visa’s NFC payment test this month will highlight the risks or rewards surrounding the technology
Touted as the next big thing for retailers, near field communication (NFC) technology hopes to transform the way consumers pay for goods and services. However, like any new technology, there are always risks.
Despite the hype around NFC and the riches it promises, Jimmy Shah, McAfee mobile security researcher, observed that there is still some uncertainty among retailers about how secure contactless payments really are. “Many are still wary of adopting NFC within their stores until both the risks and rewards can be clearly seen. The security risks may come to light sooner than expected, as one of the biggest events of the year is trialling the technology over the next two weeks,” he said.
“Visa has decided that the 2012 London Olympics will be the guinea pig for its PayWave contactless payment service. Every athlete will receive a Samsung Galaxy SIII phone – the official phone of the Games – enabled with NFC technology and Visa’s payment app. Users can then purchase goods and services by waving their devices in front of any of the thousands of readers installed in taxis and retailers throughout the London. While the aim of this trial is to demonstrate to retailers how seamlessly and flawlessly contactless payments can work, it may also be inadvertently encouraging mobile attackers to try their hand at penetrating the system for their own gain,” Shah continued.
Mobile attacks are emerging threat
Although NFC is not yet a mature technology for the retail sector, Shah said some attackers have already made headway into developing techniques to target the technology. “Some techniques focus on attacking the payment apps while others tackle the phone hardware or operating system. For example, a recent vulnerability in the PIN-reset function meant that attackers could crack consumers’ PIN numbers on their mobile phones,” he explained.
“Another technique used by scammers is known as ‘fuzzing’ the hardware. This is a good first step to testing the security of an NFC system or NFC-capable phones and involves feeding corrupt or damaged data to a payment app to trigger crashes of the system and discover vulnerabilities. Once a vulnerability is identified, the cyber criminal will then develop an exploit or attack – for example stealing credit card information or leaking the information to a third-party. Once an exploit has been created, the attacker will then find a way of getting the consumer to fall for the scam. The whole process costs cyber criminals a great deal of time and money, but is counterbalanced by the bounty that can be reaped from targeting NFC enabled phones and stores with card readers.”
Security researchers Charlie Miller and Collin Mulliner have tested this particular technique by ‘fuzzing’ SMS messages to discover exploitable vulnerabilities on Android and iOS phones. Mulliner also applied the method to NFC tags, injecting them into a phone and monitoring the results. As a result, an attacker wishing to target the Samsung Galaxy SIII when it goes on sale worldwide in two weeks could use Mulliner’s research to find vulnerabilities in the technology ahead of the trial.
Turning the technology against itself
But having consumers’ credit card details is only half the battle. “The large number of readers in stores at the Olympic Park and across the city of London will provide a plethora of places for attackers to use stolen credentials to make purchases,” Shah added. “The tourism and subsequent boom in retail sales that the Olympics is expected to generate means that attackers have a concentrated pool of targets – consumers and their phones - to pilfer from. Not only can attackers target NFC-enabled devices, they can also use contactless payment readers to siphon off credit card information, which is resubmitted by a fake NFC credit card.”
Like any security attack on a mobile device, there are steps that users can take to protect against NFC-related scams, advised the security researcher. These include downloading payment apps from the Google Play Market, Amazon’s Appstore or their network operator’s app store and avoiding third-party stores that may have pirated or maliciously modified software. “The key to NFC’s success or demise will lie in the awareness that retailers and consumers have of the security risks and the effort that is made to protect against these threats,” he concluded. “All eyes will be on London this summer – who will cross the finish line first – the retailers or the scammers?”