Above image: Copyright © 2012 RFID Protect
The Australian edition of Secure Business Intelligence magazine, (or SC to those in the know), has uncovered evidence of a new Android app capable of skimming customer data from contactless payment cards! Earlier this year Thomas Cannon (ViaForensics) successfully demonstrated (on ITN Channel 4 News) a prototype app for NFC smartphones that could e-pickpocket the victims’ bank card account number, expiry dates and obtain sufficient details to enable purchases with a major online store.
It seems that Developer Thomas Skora, (Integralis), has taken Canons’ concept one step further – his new app called ‘paycardreader‘ not only skims card details, but it is claimed this tech can also access, “…transactions and merchant IDs” when tested against certain PayPass Mastercards.
Interviewed by SC during an awareness-raising event for the security industry,
Skora stated that his app was, “…only for technical demonstration”.
SC magazine suggests that the app, “…was available for download on the Google Play Store and on GitHub” although we were unable to track it down and suspect that it has since been removed for fear this technology will fall into the wrong hands.
Mindful that in Thomas Cannon and Thomas Skora we now have two independent app developers that have successfully produced a functional ‘e-pickpocket’ app for smartphones, important questions need to be asked of our security professionals. For instance, are there more developers working on similar applications we wonder? And just how long before organised crime produces its own version? After all, it could be argued that the prospect of a ‘contactless’ theft – one where the victim doesn’t even realise they’ve been ‘mugged’ – will be an attractive proposition for career criminals; and therefore is likely to be an idea worthy of their time and investment.
Learn more about e-pickpocketing at: www.e-pickpocket.com
Or watch Thomas Cannon in action here: www.rfidprotect.co.uk/video6.html
Original source: http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx