Tuesday, July 24, 2012

NFC at the Summer Games Could Be Exploited

NFC is an acronym for near field communication, a wireless technology that allows devices to talk to each other. In the case of a mobile wallet application, those devices would be a mobile phone and a point of sale device at a checkout counter.

Visa is testing out its NFC service PayWave contactless payment service at the Summer Olympics in London. Every athlete will get a Samsung Galaxy SIII phone enabled with near-field communication (NFC) along with Visa’s payment app.

NFC can be used in other ways beyond credit card transactions. It can integrate with hardware, such as your car, to unlock a door. It can activate software.

Soon enough, using your phone as a credit card will be commonplace. Mobile contactless payments, in which you pay by holding your phone near the payment reader at the register, are expected to increase by 1,077% by 2015.

All of this is good and well, however, there are security issues with NFC that still need addressing. McAfee researchers point out a scam called “fuzzing the hardware”, which involves feeding corrupt or damaged data to an app to discover vulnerabilities. Once such vulnerability is found, the attacker must research and develop an exploit to perform various attacks (e.g. steal credit card info. export the data to the attacker, leak credit card info to any requester). The attacker will then need to find a method to have the victim run the exploit. This entire process costs attackers and criminals in time and money, which can be justified in the case of NFC enabled phones and a multitude of stores with card readers.

McAfee discovered exploitable vulnerabilities on Android and iOS phones. If someone has NFC turned on, an attacker in close proximity can pick up every signal to gather private information or payment information on an athlete’s device.  It is almost like pick pocketing, but they don’t even have to touch you.

McAfee researcher Jimmy Shah stated an attacker wishing to target the Samsung Galaxy SIII devices at the summer games can purchase one easily and use the researcher’s data to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases.

Users can protect themselves by obtaining apps from the Google Play Market, Amazon’s Appstore, or their carrier’s app store, avoiding 3rd party stores that may have pirated or maliciously modified software. Reviews from other users are also helpful in determining safer apps.

NFC handsets are set to increase to about 80 million next year. Gartner estimates that that 50% of Smartphone’s will have NFC capability by 2015. Pay attention to what’s happening in the world of NFC, mobile payment and mobile security  because before you know it, your wallet will be your mobile phone.

By Robert Siciliano

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)