[LINK] Fairfax: 'Hackers can bank on NFC'

Roger Clarke Roger.Clarke at xamax.com.au
Fri Aug 10 12:09:05 AEST 2012 

[The article below tackles one of many areas of vulnerability of the 
payment schemes that are being foisted on consumers by financial 
institutions, while oversight agencies stay asleep at the wheel.

[The reality is that authentication-less financial transactions, 
particularly when conducted with mobile devices, and even more so 
using contactless schemes such as NFC:
-   are fraught with enormous risks
-   impose those risks not on banks, nor on merchants, but on consumers]


Hackers can bank on NFC
Liam Tung
August 8, 2012
The Sydney Morning Herald
http://www.smh.com.au/it-pro/security-it/hackers-can-bank-on-nfc-20120808-23tdt.html

Imagine tapping your smartphone on a retailer's contact-less payment 
terminal to buy your groceries. Hidden near the terminal is a small 
wireless tag that instructs the phone to silently hand complete 
control over your phone to an attacker.

This scenario is as unlikely as a waiter taking your card and copying 
it for fraud, according to Charlie Miller, principal research 
consultant at US security firm Accuvant. Miller recently demonstrated 
how he could hijack a person's smartphone by using the device's 
embedded near-field communications (NFC) chip.

NFC is a wireless communication protocol that supports data 
transmission over short distances between NFC-equipped devices. One 
of its most promising applications is contact-less payments, already 
available with Visa's payWave and MasterCard's PayPass cards that can 
be waved over terminals to  pay.

Smartphones are emerging as the next frontier in contact-less 
payments, which Visa and Samsung are showcasing at the 2012 Olympics. 
Sponsored athletes have been given Samsung Galaxy SIII devices which 
they can use at 140,000 NFC payment terminals across London.

Analyst firm Forrester forecasts 100 million NFC-smartphones will be 
shipped in 2012, while Google announced in June that 1 million 
NFC-enabled Android devices were activated each week. Regardless of 
hardware manufacturer, they are capable of running Google Wallet, a 
virtual wallet that uses Google's Beam app, built into Android 
devices. While NFC proponents promise convenient payments, Miller's 
demonstration is a reminder that any new communications channel on a 
device exposes it to new attacks.

He used an NFC tag to instruct the Beam app to open a webpage that 
contained a specially crafted attack or ''exploit'' for a weakness in 
Android's browser. It gave him ''root access'' to the device, meaning 
he could take control of it, steal  files, or make phone calls and 
send SMS.

He did not undermine the security of NFC itself or compromise an NFC 
transaction, but illustrated his attack can shadow the victim and 
expose more than card data.

''The real difference has to do with the persistence of attack. If a 
bad guy can break into your smartphone, they can extract the data or 
wait for you to use payments and watch your keystrokes, monitor your 
traffic and so on as long as they have their code running on your 
device,'' Miller told IT Pro.

Miller's hack illustrates a pitfall with rapid adoption of a new 
technology, says  George Kurtz, CEO of security startup, CrowdStrike, 
which gave Miller the Android browser exploit to root the device.

''In the early implementations, [vendors] sort of default to be 'open 
and helpful','' Kurtz told ITPro.

''Look at the [Android] Beam application. It's on by default, it 
sends and accepts URLs, it just works. And the folks that designed it 
probably said, 'Great, we'll turn it on, we'll make it so the user 
doesn't have to do anything for convenience.''

Kurtz does not see  Miller's hack slowing down deployment of NFC. 
Banks will likely compare those risks to the shoddy security offered 
by magnet stripes, which have been in place for the past 40 years, 
but he said it was indicative of what the ''perfect attack'' would 
look like.
Westpac this week said it would trial an Android contact-less mobile 
app with MasterCard.

The 100-cardholder trial will use the Samsung Galaxy III smartphone 
and insert the card details onto the phone's SIM card. It will be 
rolled out next year. MasterCard Australia head of market development 
and innovation Matt Barr said the company was confident of the 
security of its NFC technology.

''We are aware of the possibility of [someone] getting access to 
information of a card, but it's not enough for a transaction,'' he 
said.

Barr said even if the card number and expiry date were obtained, a 
unique algorithm would still be needed to hijack the transaction.

A spokesman for the Commonwealth Bank which is counting on NFC as one 
of its mobile payment technologies, pointed IT Pro to the bank's 
webpage where it tells clients its MasterCard PayPass transactions 
are monitored for fraud around the clock and any unauthorised 
transactions will be fully refunded.

As to hackers gaining access to other information on the phone via 
NFC, as suggested by Miller, Barr said: ''There's several layers of 
security. The recommendation is not to share your PIN or use the same 
PIN across multiple services.''

The next phase would be to use Miller's attack and CrowdStrike's 
Android browser exploit to replicate Google Wallet.

''So you simply skim it, get all the information you need, root the 
device, pull out the wallet and then be able to replicate that wallet 
into a different device so that you can actually charge things, and 
commit financial fraud,'' explained Kurtz.

''Not only do you have access to the device and do whatever you want, 
but then you've got the wallet which you can replicate somewhere 
else. That seems like a home run to me.''

Replicating a Google Wallet would be ''no walk in the park'', said 
Kurtz, but the scenario being unlikely did not guarantee it wouldn't 
happen.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list