Mobile ‘Wallets’ Attract Greater Interest From Thieves, ResearchersAs mobile phones allow us to carry our money in an electronic “wallet,” they will also become a greater target for crooks. Picking a pocket is a risky endeavor for a thieves, but it will be much less so if all they need to do is bump into their victims or brush by them with a mobile phone. Thieves are now more likely to go after both mobile payment software and phones enabled with near-field communications (NFC). However, things are not so bad; security researchers proof-of-concept (PoC) attacks
against Google Wallet and
Square’s credit card readers have prompted improvements in security.
Square's credit card readers recently added encryption for credit card data.Security researchers have already tested Square’s credit card readers, using exploits and keyloggers to intercept credit card numbers as they pass to their mobile phones. Square has now added
encryption to new versions of its credit card reader. Does that mean that they’re completely secure? Not necessarily. Security researcher Adam Laurie is taking a closer look. Laurie has a large amount of experience in reverse-engineering embedded systems and RFID hardware. His research includes finding vulnerabilities in
hotel room safes,
http://www.youtube.com/watch?v=cPcmZ7zIqfo&feature=youtu.beRFID passports, and chip and http://www.youtube.com/watch?v=3vAvesYoHeo&feature=youtu.bePIN credit cards.http://www.youtube.com/watch?v=JABJlvrZWbY&feature=youtu.beAs word of the new, more secure Square readers arrived, he posted an
open request on Twitter. This can only be good for the security of the mobile payment system.
Researcher Adam Laurie requests one of the new encrypted Square readers from his Twitter followers.NFC-enabled contactless (“tap and pay”) credit cards are also at risk from an attacker with a specially crafted app and NFC-enabled mobile phone. Researchers at viaForensics have demonstrated a PoC NFC reader Android app that can grab the information on your credit card just by placing the phone nearby. An attacker can walk through a crowd and collect numbers and expiration dates from numerous victims. The
CVV2 and other card verification numbers aren’t included, so it is more difficult for a criminal to resell stolen credit card information. Generally the CVV2 number, printed on the back of credit cards, is used to verify that online transactions are being made by someone who has the actual card. Most online shopping sites won’t allow a purchase if the customer doesn’t have that number. However, this didn’t stop viaForensics’ partner, the UK’s Channel 4 News, from being able to use this minimal card information on a popular online shopping site.
These latest phone enhancements have inspired an increasing interest in mobile payment security from both the bad guys and security researchers.
Orginal article: Monday, April 2, 2012 at 9:00am by Jimmy Shah