RFID protection is needed as a new Android application seems capable of siphoning credit card data from contactless bank cards.

Above image: Copyright © 2012 RFID Protect

The Australian edition of Secure Business Intelligence magazine, (or SC to those in the know), has uncovered evidence of a new Android app capable of skimming customer data from contactless payment cards!  Earlier this year Thomas Cannon (ViaForensics) successfully demonstrated (on ITN Channel 4 News) a prototype app for NFC smartphones that could e-pickpocket the victims’ bank card account number, expiry dates and obtain sufficient details to enable purchases with a major online store.

It seems that Developer Thomas Skora, (Integralis), has taken Canons’ concept one step further – his new app called ‘paycardreader‘ not only skims card details, but it is claimed this tech can also access, “…transactions and merchant IDs” when tested against certain PayPass Mastercards.

Interviewed by SC during an awareness-raising event for the security industry,

Skora stated that his app was, “…only for technical demonstration”.

SC magazine suggests that the app, “…was available for download on the Google Play Store and on GitHub” although we were unable to track it down and suspect that it has since been removed for fear this technology will fall into the wrong hands.

Mindful that in Thomas Cannon and Thomas Skora we now have two independent app developers that have successfully produced a functional ‘e-pickpocket’ app for smartphones, important questions need to be asked of our security professionals. For instance, are there more developers working on similar applications we wonder? And just how long before organised crime produces its own version?  After all, it could be argued that the prospect of a ‘contactless’ theft – one where the victim doesn’t even realise they’ve been ‘mugged’ – will be an attractive proposition for career criminals; and therefore is likely to be an idea worthy of their time and investment.

Learn more about e-pickpocketing at: www.e-pickpocket.com

Or watch Thomas Cannon in action here: www.rfidprotect.co.uk/video6.html

Original source:  http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx

UK consumers fear ‘contactless’ or ‘wave and pay’ mobile wallet hacking

In early November 2011, BBC News services reported that malware attacks on UK Android Apps, and smartphone fraud in general had risen by a staggering 800% since this time last year!!!!  Today we learn from The Telegraph newspaper that,

“…the majority of Britons are scared of ‘wave and pay’, [and with] only a small minority of people keen to use their mobiles like wallets. [Many] fear that ‘wave and pay’ apps will lead to greater security breaches”. 

Emma Barnett, Digital Media Editor for the Telegraph elaborated stating,

“…[the] Intersperience study, which polled 1,000 people as part of a larger project entitled ‘Digital Selves’, found that phone hacking fears are dominating consumers’ security concerns when thinking about adopting new mobile wallet payment systems.”

A spokesperson for Paypal recently intimated that mass adoption of contactless payments for products using mobile phones, or smart credit cards is at least three years away.  This is perhaps not surprising given that very few UK retailers offer this type of payment option to their customers.

Meanwhile, UK company RFID Protect has announced its intentions to offer a solution for smartphone users wary of this technology.  It comes in the shape of a simple App that will be launched mid 2012, and made available to download from www.rfidprotect.co.uk

So before too long, iPhone and Android users will have the option to disable their NFC (Near Field Communication) feature and in the words of a RFID Protect spokesperson, “MAKE YOURSELF INVISIBLE’ to would be phone hackers, e-pickpockets and e-payment skimmers.  Apparently, there’s a timer function too – so users get to determine the amount of time their phone can be read by third parties.

Read the full Telegraph article at:

http://www.telegraph.co.uk/technology/news/8825183/Majority-of-Britons-are-scared-of-wave-and-pay.html

First published on the: 14 October 2011

British Broadcasting Corporation warn about smart phone hacking

Today the BBC broke news of a staggering development in the world of smart phone / contactless technology.  In short, unscrupulous hackers and the criminal fraternity have managed to exploit a weakness in the means by which Apple’s i-Phone, Blackberry, and Android handsets connect with wi-fi or ‘open networks’.  The end result is that these particular devices may broadcast personal data, often in the course of normal social media interactions using i.e. Facebook and Twitter, which can be viewed by a third parties.  Scary stuff indeed!  This is what a BBC spokesperson had to say on the issue:

“The main lesson must be how insecure you can be if you sit in a public place and go online using an open network. I’d heard about Firesheep, a tool demonstrated recently as a warning of the dangers of open networks and unencrypted cookies. But sitting and watching as your entire life – or rather your social-networking life – is laid bare is very sobering.”

Rory Cellan-Jones, BBC Correspondent

Read the full article at:

http://www.bbc.co.uk/blogs/thereporters/rorycellanjones/2010/11/iphone_cracking_wifi.html

First published at BBC Online: 08:40 UK time, Tuesday, 23 November 2010

UPDATE:  (November 07, 2011) BBC News reports that malware attacks on UK andriod APPs, and smartphone fraud in general is up a staggering 800% since this time last year!!!!  The shape of things to come – who knows, perhaps?