NFC mobile threats on the horizon: What happens when we wave our wallets to pay?

While it's not quite Star Trek tech yet, being able to wave your smartphone to make a payment is so cool that there are now 35 million NFC-enabled mobile phones in the world. With the launch of Google Wallet in the U.S., IMS Research says there will be 80 million NFC cell phones by the end of 2012. In fact, the booming tech of Near Field Communications (NFC) transactions that enable contactless and mobile payments will take the USA by storm, with mobile payments predicted to reach $630 billion by 2014. All that money is too tempting of a target as a Lookout Mobile Security threat report warned; NFC trends like the mobile wallet will only encourage hackers. Lookout's CTO Kevin Mahaffey said, "At this stage malware writers are still experimenting, but in time we anticipate the threats to be more targeted and sophisticated. According to Silicon Angle, "Malware creators are gearing up for when things like NFC payments and stored value go mainstream."


NFC wireless technology is considered a "complement to Bluetooth," reported Threatpost, and it has been "built into mobile phones and a wide range of wireless smart tags, akin to RFID tags, that can store a wide range of information and interact wirelessly with NFC-enabled phones. Applications for NFC technology include mobile payments, in which phone users could transmit credit card or banking information wirelessly from their phone to a check out device, as well as ticketing. So-called 'smart posters' have already been deployed in some cities and contain smart tags with direction and even information that can be wirelessly transmitted when NFC phones are brought in proximity to the phone."

A new research paper called, Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones [PDF] discusses the "first generic practical implementation of a contactless relay attack using only NFC-enabled mobile phones and software applications." A successful relay attack required no special hardware for the NFC mobile phones; instead it only required installing a mobile phone app to turn the off-the-shelf NFC mobile phones into both a proxy-token and a proxy reader. The authors wrote, "The attack implementation required no unlocking of devices or secure elements, no hardware or software modification to the phone platform, and minimal knowledge of the data that was to be relayed. Neither was there any need to access the mobile network or any related services, and we utilized devices of a form factor accepted by merchants."

The attack implementation was application independent so would work against a number of conventional contactless systems. For example, we experimentally verified that the implementation work against both test payment and e-passport systems in a controlled environment. The 'software-only' nature of this relay attack implementation increases the likelihood of it being used in practice (e.g. an attacker simply downloads the applications), and so represents a potential threat to real-world systems.

Collin Mulliner , a mobile security researcher at the Technical University of Berlin, has been hacking NFC mobile devices and exploiting security vulnerabilities in NFC-based services since 2008. At the European 'Digital Footprint in a Mobile Environment' conference, Mulliner presented several major security flaws in the design and implementation of NFC technology. "The issues highlighted in Mulliner's speech were a lack of encryption that could lead to man-in-the-middle (MITM) eavesdropping, spoofing and corruption attacks, the ability to spoof URI - Universal Resource Indicators - from 'smart' posters used for NFC-powered advertising, and flaws in current NFC handsets that can cause serious issues," Thinq reported.

Mulliner warned of potential NFC attack vectors at NinjaCon 2011 and other security conferences [PDF], but at the European Commission Joint Research Center event, he showed how, if an attacker were close enough to an NFC-enabled smartphone, malicious code could be 'injected' into the device so that custom software could be installed to force the phone to do anything the attacker wanted without the victim ever knowing. Mulliner's proof-of-concept self-propagating worm "uses NFC radios to find nearby devices to infect. The result: the digital equivalent of an airborne virus, capable of spreading rapidly between carriers simply via proximity." More can be found on the UK RFID Blog about the Internet of Things [PDF].


We are no doubt just beginning to see exploit methods and attacks on NFC-enabled devices. Some privacy and information security experts warn that it's a mistake to dive into NFC without embedding privacy by design and strong security from the start. Although the Google Wallet Android app is an increasingly popular choice in the U.S., it received a FAIL rating according to the latest ViaForensics report, "Forensic security analysis of Google Wallet." The unencrypted data stored on the device includes credit card balance, limits, expiration date, name on card, transaction dates and locations. Transactions are recoverable even if the data has be deleted, as are the cardholder's name, expiration date, last 4 card digits, and registered email account. All of this could leave users wide open to successful social engineering attacks. The good news is that Google Wallet was successful in protecting against MITM attacks over Wi-Fi when some other NFC payment systems are open to MTIM eavesdropping.

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon