How secure is mobile Near Field Communications (NFC)?

19 07 2012

Early this September the iPhone 5 is speculated to join the ranks of Near Field Communications enabled smartphones but how secure is this technology? Near Field Communications (NFC) is a wireless, short range, communication protocol between two devices. This communication protocol is currently being used for a variety of micro transactions: for example, Citi Bank Pay Pass, Google Wallet, and four square check in’s using Samsung’s TecTiles. With the focus of NFC on monetary microtransactions it is important to understand how it is vulnerable to attack: eavesdropping, skimming, malicious apps, and theft.

Eavesdropping NFC traffic happens when the owner is actively using NFC and skimming can happen without the owner taking the phone out of their pocket.  With a modified antenna a NFC or modified RFID device it is possible to listen to the NFC exchange past the typical range of about four inches.  Also a simple brush past a phone would be enough to copy the NFC data and hard to detect, especially in a crowded area.  Currently there are several software tools to attack NFC enabled phones, Collin Mulliner’s Python NDEF library, an app called “Google Wallet Cracker app” or a free app in the Goolge play store called, Ecardgrabber.

Malicious apps in mobile app store are a current day reality, on July 5th an app called  “First and Call” was in Apple’s app store and on June 24th “Super Mario Bros” was in the Google Play store.  Both apps have been pulled, but an unknown number of address books have been sold and an unknown number of premium SMS message costing the owners money have been sent by the approved mobile apps.  Those same malicious developers can NFC make apps that operate normally but copy of all stored credit cards to the developer.  Not all consumers are savvy enough to protect themselves and the app stores are have proven they can not protect their user base from every piece of malicious code.

NFC is also vulnerable to physical theft and with the current implementation of Google Wallet there is a maximum of two passcodes between the thief and the NFC’s vault of sensitive information.  However those two passcodes won’t protect your average user because according to Sophos, 67% of users do not have a password on their phone and the most common passcode is “1234”. There have also been proven exploits on the Android platform to reset both the device and google wallet’s pin using a prepaid phone card.

Using a smartphone for Near Field Communication is secure, not absolutely secure, with safe habits and industry support it can become a great tool. NFC has more security than the existing cell phone sms payment methods and necessary industry support to continue growing.  Visa and Samsung believe in NFC, they are giving every olympian a Samsung Galaxy S3 with Visa paywave.

_______________

http://www.popsci.com/gadgets/article/2011-02/near-field-communication-helping-your-smartphone-replace-your-wallet-2010/
http://www.symantec.com/connect/blogs/ecardgrabber-android-app-sniffing-contactless-credit-card-details-over-air
http://blog.eset.com/2012/04/23/qr-codes-and-nfc-chips-preview-and-authorize-should-be-default
http://nakedsecurity.sophos.com/2011/09/20/google-wallet-throw-away/
http://blogs.mcafee.com/mcafee-labs/mobile-nfc-features-raise-security-concerns
http://blogs.mcafee.com/enterprise/mobile/cracking-open-your-google-wallet
http://www.wired.com/gadgetlab/2012/07/first-ios-malware-found/
http://www.pcworld.com/businesscenter/article/259100/security_researchers_find_multistage_android_malware_on_google_play.html
http://blogs.mcafee.com/enterprise/mobile/nfc-payment-test-at-olympics-will-inspire-mobile-attackers-to-go-for-the-gold
http://pressreleases.visa.com/phoenix.zhtml?c=215693&p=irol-newsarticlePR&ID=1693590





The discussion of Security in Mobile Payment

2 11 2011

Have you paid bills by your mobile facilities, such as cell phone, PDA or mobile PC? If you have, have you been worried about the security of your purchase or privacy information through the mobile payment and the safety of mobile facilities and systems?

Mobile purchase becomes more and more popular nowadays. “According to Gartner, 340 million global users will use mobile payments in 2014, with such transaction totaling $245 billion, up from $32 billion last year.”[1] This means the mobile-commerce market will enlarge almost eight times in 2014. Many companies have already focused on this business opportunity. Not only the traditional e-commerce companies, such as Amazon and e-Bay,but also some technology companies, such as Google, are working on platform and software to get an advantage in this potential market. This year Google announced that they planned to “start testing a mobile-payment system with the near-field-communication (NFC) technology, which lets consumers pay for products and services by tapping a device against a register at checkout, giving them an alternative to cash or physical credit cards.”[2] In the same year, Amazon and eBay also developed their mobile payment services (Amazon’s MPS and EBay’s ISIS) based on NFC.

NFC is a more advanced technology than RFID (Radio-frequency identification) and Bluetooth for its low-power consumption and higher safety. In NFC based payment system, the mobile device contains two smart chips, the normal SIM card and a separate NFC payment chip. The customer can make a pay by holding the mobile device in front of a NFC reader and entering a security PIN to authorize the deal, so the deal can be finished between a few centimeters. Although this can provide a certain level of safeguard for the customers, there are still bugs in the NFC payment system and design flaws in the NFC devices.

As all wireless signals, the signal of NFC can be eavesdropped with antennas. Data transferred in NFC is much safer than data transferred in RFID, but still has some possibility to be manipulated. Relay attack is also possible for NFC. The hacker can break into the communication procedure and forward a reader request to the victim. When then victim reply, the hacker will get the reply and use this message to analysis user’s information. The hacker can pretend to be the user to carry out some task or even modify the user’s setting. If you lose your phone, the potential security problem could be even worse than any kinds of attack. You provide a free access to your mobile phone. The attacker can decipher the NFC payment chip and make a deal using your device.

The way that making deals between NFC devices is one of the methods of mobile payment, which is called direct mobile billing. The other method is mobile web payment, which means customers can make online transactions by their mobile devices, such as online wallets, online banking and direct operator billings. As we know, the invention and development of Apple’s iPhone and Google’s Android smart systems make the evolution of the smart phone market. People can skim over the website more conveniently and quickly. Therefore, the customers have more chances to choose and buy what they prefer in the online market. At the same time, mobile payment is more popular than ever before. Compared with the PC systems, the smart systems of the mobile devices are still young and have many flaws, so they are easier to attack than PC systems. “Recent studies show that the world of mobile malware is dominated by Trojans and not by worms or viruses. The main reason for this is that Trojans do not need any propagation vector and simply rely on the user’s curiosity to download and install them.”[3] The attacker could make some utility programs or popular games to attract user’s interest. When the user download and install such programs, their mobile devices could be installed by a spyware or a malware. The spyware can collect the user’s information, including ID information, PIN data, incoming and outgoing data, to send to the attacker. There are some famous spyware or malware: Flexispy[4], PbStealer[5] and KeyLogger. The user should be careful when downloading application from internet, and install safeguard software to have certain level of protection.

Instead of traditional payment, mobile payment is a representative of future payment.  Bugs and insecurities will be solved sooner or later. The unsafe elements in the mobile payment systems and mobile devices cannot stop the development of m-payment.

__________________

[1]http://www.bloomberg.com/news/2011-03-31/amazon-com-said-to-be-considering-mobile-payment-service-for-smartphones.html

[2]http://www.bloomberg.com/news/2011-03-15/google-is-said-to-ready-payment-test-in-new-york-san-francisco.html

[3]  Shivani Agarwal, Mitesh Khapra, Bernard Menezes and Nirav Uchat”Security Issues in Mobile Payment Systems”

[4]F-Secure Malware Information Pages: Flexispy.A. (Online) http://www.f-secure.com/v-descs/flexispy_a.shtml.

[5]F-Secure Virus Descriptions : Pbstealer.A. (Online) http://www.f-secure.com/v-descs/pbstealer_a.shtml.