Android app steals contactless credit card data

RUCKING FETARD

http://www.scmagazine.com.au/News/305881,android-app-steals-contactless-credit-card-data.aspx

A German penetration tester has posted to the Google store an Android application capable of siphoning credit card data from contactless bank cards.


The app, dubbed paycardreader, will skim card numbers and expiry dates, along with transactions and merchant IDs, and was successfully tested against a German PayPass Mastercard.


Developer Thomas Skora, senior consultant for Integralis, said it also worked with Germany’s popular GeldKarte.
The app required either an NFC-enabled (near field communications) handset, or for users to attach a near field communications transmitter to their Android phones.


Skora said the app was “only for technical demonstration” to demonstrate how data could be swiped from contactless cards.
The paycardreader was launched at Integralis Security World 12 in Germany and was considered still unstable.
It was available for download on the Google Play Store and on GitHub.
Contactless cards have previously been proven hackable by security researchers.


Aukland University researcher and veteran cryptography boffin Peter Gutmann demonstrated how data could be skimmed from credit cards such as PayWave and PayPass with off-the-shelf kit purchased for around $10 from eBay.


He told SC last month that while the weaknesses in the cards was concerning, it was not an effective means to harvest lots of credit card numbers,
However it could be attractive for unskilled users for low-scale fraud.

Cork24

Once again the Problem with Data being sent means of Wave lengths

dahamsta

The problem isn't with RF, it's with bad security on the RF transmissions.

SweetCaliber

Although he was only demonstrating, he should no have posted that on the Google Play store for others to download.

That will just get him into serious trouble down the line.

LoLth

Its the whole responsible disclosure argument imho.

he did his research and he wanted to test it. I get it. he could have tested it and verified his findings on his own kit and not forced the banking institutions hands' by putting innocent users at risk.

By verifying his findings and going to the media the end result would be the same without the risk to the public (ie: post the exploit *after* the company has a chance to patch the hole)

Also agree its the quality of the security of data being transmitted rather than the method tha tis the issue here. If it is not possible to secure the data when being transmitted by RF then fair enough, that medium should be either abandonded or used only for "harmless" data, if it *is* possible to secure then the companies are just being lazy and irresponsible by not researching it fully before implementation.

I would judge an organisation more on how they react to a security risk notification than I would on whether the risk exists in the first place. Similarly, I would judge a security professional more on how they expose a risk than how ingenious or effective the methods used to find the risk were. In this partiular scenario (from the details given) the research is more at fault for any ill side effects than the oganisation imho. (wonderful, its not a mass card detail hoover, thats really going to comfort an indivual who gets their card details slurped by a tech savvy "amateur")

BaconZombie

There was a great talk at Kiwicon about a similar thing.

November 11, 2011 --
NFC on mobile phones is a new phenomenon and opens a lot of possibilities for research, particularly when talking about mobile payment platforms. Lateral Security's Nick discusses the good, the bad and the ugly of mobile NFC.

http://risky.biz/KiwiconNFC