The world of mobile phone security certainly is more interesting than that of laptops and desktop computers. If you haven't heard, there is a now an app for skimming information from NFC cards via a smartphone. The technology is apparently so new that some people have problems understanding what it does: The "paycardreader" app lets thieves "skim the card numbers and dates, along with transactions and merchant IDs" of nearby people's phones. Both hacker and victim must have NFC-smartphones equipped in order for the app to work. [mobiledia.com] As I understand it, this is not the case at all. What the app does is best summarized by newscientiest.com (my emphases): Got a credit card equipped with a contactless payment chip? Then watch out next time someone bumps into you in the street - they may have just mugged you with an app. Contactless cards use near field communications (NFC) chips to exchange your payment details with a merchant's till, and some smartphones also come equipped with NFC chips to let you use them as a wallet. Now security researcher Thomas Skora has written an app that turns any NFC phone into a reader and successfully read card numbers, expiry dates, transactions and merchant IDs from German credit cards. What the app does is attack credit cards, not phones. So, if you think about it, this is not malware as we know it. Sure, it's evil software -- just like a keystroke logger can be -- but whoever downloads the app to their smartphone knows exactly why they did so. It's not a virus. It's not a trojan. It's not hiding from the user's eyes or mind; it's aiding the user. I'm not sure where or how mobiledia.com managed to get the one detail wrong, but the rest of their article is top-notch. A solution for this problem (well, aside from pulling the app from Google Play. Contrary to reports, it's not listed anymore in the app store, although I can only point out this fact since I'm slower in reporting the story) could be the use of a wallet especially designed to block RFID signals. In fact, such products extend beyond the realm of wallets. You can also make your own RFID-shielded wallets. Out of duct tape.
The world of mobile phone security certainly is more interesting than that of laptops and desktop computers. If you haven't heard, there is a now an app for skimming information from NFC cards via a smartphone. The technology is apparently so new that some people have problems understanding what it does:
The "paycardreader" app lets thieves "skim the card numbers and dates, along with transactions and merchant IDs" of nearby people's phones. Both hacker and victim must have NFC-smartphones equipped in order for the app to work. [mobiledia.com]
As I understand it, this is not the case at all. What the app does is best summarized by newscientiest.com (my emphases):
Got a credit card equipped with a contactless payment chip? Then watch out next time someone bumps into you in the street - they may have just mugged you with an app. Contactless cards use near field communications (NFC) chips to exchange your payment details with a merchant's till, and some smartphones also come equipped with NFC chips to let you use them as a wallet. Now security researcher Thomas Skora has written an app that turns any NFC phone into a reader and successfully read card numbers, expiry dates, transactions and merchant IDs from German credit cards.
Got a credit card equipped with a contactless payment chip? Then watch out next time someone bumps into you in the street - they may have just mugged you with an app.
Contactless cards use near field communications (NFC) chips to exchange your payment details with a merchant's till, and some smartphones also come equipped with NFC chips to let you use them as a wallet. Now security researcher Thomas Skora has written an app that turns any NFC phone into a reader and successfully read card numbers, expiry dates, transactions and merchant IDs from German credit cards.
What the app does is attack credit cards, not phones. So, if you think about it, this is not malware as we know it. Sure, it's evil software -- just like a keystroke logger can be -- but whoever downloads the app to their smartphone knows exactly why they did so. It's not a virus. It's not a trojan. It's not hiding from the user's eyes or mind; it's aiding the user.
I'm not sure where or how mobiledia.com managed to get the one detail wrong, but the rest of their article is top-notch.
A solution for this problem (well, aside from pulling the app from Google Play. Contrary to reports, it's not listed anymore in the app store, although I can only point out this fact since I'm slower in reporting the story) could be the use of a wallet especially designed to block RFID signals.
In fact, such products extend beyond the realm of wallets. You can also make your own RFID-shielded wallets. Out of duct tape.
Related Articles and Sites:http://www.newscientist.com/blogs/onepercent/2012/06/android-app-lets-you-swipe-con.htmlhttp://www.mobiledia.com/news/154840.htmlhttp://it.slashdot.org/story/12/06/21/1232228/android-app-lets-you-steal-contactless-credit-card-data