in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based data and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Android Phone App Security: App Steals Contactless Credit Card Data

The world of mobile phone security certainly is more interesting than that of laptops and desktop computers.  If you haven't heard, there is a now an app for skimming information from NFC cards via a smartphone.  The technology is apparently so new that some people have problems understanding what it does:

The "paycardreader" app lets thieves "skim the card numbers and dates, along with transactions and merchant IDs" of nearby people's phones. Both hacker and victim must have NFC-smartphones equipped in order for the app to work. [mobiledia.com]

As I understand it, this is not the case at all.  What the app does is best summarized by newscientiest.com (my emphases):

Got a credit card equipped with a contactless payment chip? Then watch out next time someone bumps into you in the street - they may have just mugged you with an app.

Contactless cards use near field communications (NFC) chips to exchange your payment details with a merchant's till, and some smartphones also come equipped with NFC chips to let you use them as a wallet. Now security researcher Thomas Skora has written an app that turns any NFC phone into a reader and successfully read card numbers, expiry dates, transactions and merchant IDs from German credit cards.

What the app does is attack credit cards, not phones.  So, if you think about it, this is not malware as we know it.  Sure, it's evil software -- just like a keystroke logger can be -- but whoever downloads the app to their smartphone knows exactly why they did so.  It's not a virus.  It's not a trojan.  It's not hiding from the user's eyes or mind; it's aiding the user.

I'm not sure where or how mobiledia.com managed to get the one detail wrong, but the rest of their article is top-notch.

A solution for this problem (well, aside from pulling the app from Google Play.  Contrary to reports, it's not listed anymore in the app store, although I can only point out this fact since I'm slower in reporting the story) could be the use of a wallet especially designed to block RFID signals.

In fact, such products extend beyond the realm of wallets.  You can also make your own RFID-shielded wallets.  Out of duct tape.


Related Articles and Sites:
http://www.newscientist.com/blogs/onepercent/2012/06/android-app-lets-you-swipe-con.html
http://www.mobiledia.com/news/154840.html
http://it.slashdot.org/story/12/06/21/1232228/android-app-lets-you-steal-contactless-credit-card-data

 
<Previous Next>

Data Security: FTC Charges Two Companies P2P Data Leaks

Laptop Encryption Software: "Towards Employment" Non-Profit Report Laptop Theft, Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.