|Android App Allows NFC Contactless Account Mugging|
Android App Allows NFC Contactless Account Mugging [newscientist.com]
|Contactless cards use near field communications (NFC) chips to exchange your payment details with a merchant's till, and some smartphones also come equipped with NFC chips to let you use them as a wallet. Now security researcher Thomas Skora has written an app that turns any NFC phone into a reader and successfully read card numbers, expiry dates, transactions and merchant IDs from German credit cards. |
The app, called paycardreader, was removed from the Google Play store yesterday, but Skora has also placed the source code on GitHub, a code-sharing website, and says the app doesn't actually save the swiped data, it just displays it.
It is possible that more malicious app developers could use similar methods to actively steal data though - an investigation by Channel 4 television in the UK earlier this year revealed it was possible to swipe details via a phone and use them to make purchases on Amazon.
I've warned of this from the beginning. As soon as this technology is adopted mainstream it'll be more than just a story in New Scientist.
I use NFC, both on my phone via Google Wallet, and about half of my cards have it. It doesn't bother me in the least. I've never had anyone I've ever known had a card duplicated and used for fraudulent means by reading the NFC tag from PayPass, PayWave, etc.
For one thing, it's a pain in the ass, literally. NFC really doesn't work until you're *very* close, and even though the article says contact less, in practice, that's not very true - you have to be 2-3 inches away.
I'm a lot more worried about the conventional stuff that works without contact and on all cards. I've never had an issue (thankfully!), but I've had friends get burned in a couple of relatively low-tech ways:
- A waiter copies down the number and buys a TV the next day from bestbuy.com
- The cousin of the owner of a shoddy gas station installed a card swiper on top of the card swiper on the gas pump
- Idiot merchants that save full credit card numbers in their database and get hacked
|'ve had friends get burned in a couple of relatively low-tech ways: |
Yup. I normally pay cash in strange restaurants, especially where the waiter takes the card away behind the scenes. Sure enough, the only time I broke that cardinal rule a few years back was in a place in Nevada. My 'card' was being used days later in Indiana and the bank closed the account immediately. At least they figured out I couldn't be in 2 places at the same time.
It's also another reason I carry multiple cards, some with low limits just to avoid being ripped off for major amounts. The cards I used for business could easily charge a new car without question and you don't want to hand those off at a restaurant. ;)
Sad thing is requiring a simple PIN # or a cell phone SMS confirmation to complete the transaction would pretty much end all of this nonsense, fraud be gone.
A few months back, Lucky supermarkets up here in Northern California had hackers come in and install card / pin readers on the self-service checkout stands at a few of their store locations.
I guess that is pretty common as well at gas stations where you can fill up in the middle of the night and there is no attendant on duty.