• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • NFC attack can steal your credit card information

NFC attack can steal your credit card information

Pierluigi Paganini June 09, 2015

Crooks are using the NFC capability of Android smartphone to steal your credit card data, two researchers presented the PoC at the HITB.

Crooks are using the NFC capability of Android smartphone to steal your credit card data, it’s scaring but true.

But first let’s introduce the Near field communication (NFC) as “a set of standards for mobile devices designed to establish radio communication with each other by being touched together or brought within a short distance. The NFC standard regulates a radio technology that allows two devices to communicate when they are in close proximity, usually no more than a few centimeters, allowing the secure exchange of information.”

“Each full NFC device can work in three modes: NFC Card Emulation; NFC Reader/Writer; and NFC peer-to-peer (P2P mode):

  • NFC Card emulation mode enables NFC-enabled devices such as smartphones to act like smart cards, allowing users to perform transactions such as payment or ticketing.
  • NFC Reader/writer mode enables NFC-enabled devices to read information stored on inexpensive NFC tags embedded in labels or smart posters.
  • NFC peer-to-peer mode enables two NFC-enabled devices to communicate with each other to exchange information in an adhoc fashion.”

Since Android phones have come with NFC 2-3 years ago that lead to an increase in the use of NFC technology and it has been used by Google wallet lately, Android pay, and many others.

NFC_Standards

When the NFC is activated, small amounts of data are transferred between the devices that are connected, making one of the strongest points of this technology, but at the same time the weakest point that could be exploited by hackers.

How can hackers steal your credit cards using NFC?

As you know there has been some search about NFC relay attacks which can lead to data corruption, spoofing, man-in –the-middle attacks, as cyber security expert Pierluigi Paganini shows us very well in but all this attacks were difficult to perform and to be successful because it requires the devices to be near to each other, but that may change with the discovery of the researcher Michael Roland, who found that installing a Trojan relay in Android smartphones can facilitate the things, since the attacker can start Google Play using the NFC capabilities.

When realizing the issue, Google patched the problem, but when researching once again, Rodriguez and Vila discovered that NFC in an Android device could be used to steal credit cards that the victim as in his pocket, think about it, how many times your phone is close to your wallet? Too many times I am sure.

Attack scenario

For the hacker to pull off this attack he needs a POS machine that it’s able to accept NFC payments and an Android phone with NFC, running Android 4.4 KitKat or above.

Now we get back to the relay attacks, where the attacker will forward an entire wireless communication over a large distance (NFC only allows small distance transmissions), he will be doing that by using the concept of the “the honest prover, the honest verifier, the dishonest prover and the dishonest verifier”

  • Dishonest prover and verifier will fool the honest verifier and prover
  • Your credit card is your honest prover
  • The POST terminal is the honest Verifier
  • The attacker’s NFC Android phone is the dishonest prover
  • Your phone is the dishonest verifier

NFC attack

The difficult part of the attack is how to attract the victim into downloading an app, but assuming that the attacker was successful and the victim has the “bad” app, the app will start checking the environment around the smartphone to see if there is any credit card (of course that depends your wallet is near enough to the phone to the app to be successful).

Once the credit card is detected, the app sends a message over the victim smartphone’s internet to the attacker’s smartphone. Since now the attacker received the message in his Android phone, he just needs to come close the POS machine, for the POS machine to be able to do the illegal monetary transaction.

The researchers Jose Vila and Ricardo J. Rodrıguez presented the “Relay Attacks in EMV Contactless Cards with Android OTS Devices” at the hacking conference HACK IN THE BOX, in Malaysia. The experts made a PoC using a Nexus 5 (dishonest prover) and Sony Xperia S (the dishonest verifier).

Even if exists a restriction in the amount of money that can be stolen (around $50), and after some transitions is required a PIN, this should be enough to put us on alert, and since it’s an early research, more breakthroughs can be made, improving attacks and making them simple, and if join to all this the fact the NFC is becoming “bigger” and widely used we may have here the receipt for a disaster.

“Be aware of the apps you are installing on your device – don’t use apps that haven’t been approved in the Google Play store or that are from an alternative market. If you aren’t using NFC for other stuff, just deactivate it by default. That way the application must ask you to activate NFC and if an unauthorized usage, then you will know it.” Rodriguez told to iDigitalTimes:

Enjoy the presentation here,  or give a look to the technical whitepaper.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs –  NFC,  hacking)


facebook linkedin twitter

credit card Hacking mobile NFC

you might also like

Pierluigi Paganini July 07, 2025
Taiwan flags security risks in popular Chinese apps after official probe
Read more
Pierluigi Paganini July 07, 2025
U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 06, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT