Vulnerability

Payments and NFC Still Under Fire

After spending a few days around Security Week (BlackHat, Defcon, BSidesLV) last week, I was constantly amazed at the excitement and innovation around security. Unfortunately, most of this focused on the attack side, but nevertheless, it will drive security thinking forward (which is what we want!).

Several researchers focused on Near Field Communication (NFC) implementations as this technology is quickly becoming embedded in many mobile devices. While you may not be an NFC expert, you certainly have used NFC before. Think about any time you have used your credit card in a contactless way, paid for transport in London with an Oyster card, or even started your new automobile, you are using a form of NFC. Businesses want NFC because it offers (in some cases) better authentication of payment devices, easier ways to interact with customers (with minimal intrusion), and can potentially serve to increase efficiency on both sides of the relationship. As with most technological innovations, the business will get very creative in ways to monetize it.

But as with most technological innovations, implementation is often more important than design (see WEP/RC4). Researchers last week showed how implementing an NFC interface to a smartphone can potentially be disastrous for its owner. In this case, the software behind the hardware was the problem, and software manufacturers must be vigilant in their quest for releasing stable, secure products.

Another researcher at DEFCON demonstrated quite the opposite where he used a smartphone’s NFC technology to capture payment information from a contactless payment instrument, store it, and then replay it to complete a transaction. This is not a new attack as we’ve seen the replay of RFID before, but it’s a much stealthier attack as everything is contained within the phone. Imagine walking by someone and pushing “attack” on your phone’s software moments before the swing of your arm matches up with the swing of the leg where he pockets his wallet. Quickly and stealthily interrogating the payment instruments and using them to buy things later.

If nothing else, this demonstrates that you should be personally vigilant on watching every charge posted to your accounts, setting up lots of alerts to monitor strange behavior, and disable anything you are not actively using. If you are concerned about people stealing your payment information, you can put your cards into paper-thin shields that will prevent someone from interacting with it, or simply request a card that does not have the contactless technology embedded in it.

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s