Recently viaForensics developed a proof of concept mobile app running on an Android device that was capable of reading data from contactless credit cards by simply placing the device on or near the card. This type of vulnerability has been demonstrated in the past, and we generally viewed our proof of concept interesting mainly because you can now use a common consumer smartphone as the reader. However, it is quite clear from the many reports in the media that this issue has struck a chord with people. The data we read from the credit card, including your name, full card number and expiration date, should not be sufficient for online credit card fraud, but the Channel4 UK report demonstrated fraudulent purchases were possible with some retailers. Beyond the clear risk of credit card fraud, there are less obvious and perhaps more pervasive risks such as identity theft, invasion of privacy and the ability to track people. All of these are a concern to consumers, corporations and security companies such as viaForensics. Although the initial reports focused on our ability to read some Barclays VISA cards in the UK, we performed additional testing and found that other issuers’ cards are susceptible to this vulnerability. Thus, this is not an issue specific to Barclays but more broadly to the industry. It is also important to note that we were unable to read data from many cards, likely because they used a different standard which prevented us from reading the details. The proof-of-concept attack we demonstrated was not especially difficult to develop – although we do have quite excellent researchers – and it could certainly be refined. We developed the app for Android but it could run on other smartphones or other platforms. Far more powerful readers are available that would increase the distance and success rate for reading cards. As it stands, the smartphone is fairly underpowered compared to specialized reader equipment and would have a higher than desirable fail rate for criminals. Since the major media exposure, we have found the credit card industry to be very responsive on this issue. We have had conversations with impacted organizations and they are focused on understanding and addressing the problem. Technology is changing our lives at an amazing pace. While there are enormous benefits, there are, at times, missteps. We do not believe the exciting developments in the payment, credit card and mobile space are generally on the wrong path. Focus on security and privacy does need to be addressed rapidly and continuously if organizations are to win the trust of consumers. So while some of the recent developments may be concerning, we feel that the industry is well positioned to address security problems and continue to drive the innovation we all want to participate in.
Andrew Hoog is a computer scientist, mobile forensics researcher, and Founder and Board Member of NowSecure. Hoog has one patent issued, and two pending, and is the author of two books on mobile forensics and security. When not breaking (or fixing) things, he enjoys great wine, science fiction, running and tinkering with geeky gadgets.