Pierluigi Paganini June 09, 2015

Crooks are using the NFC capability of Android smartphone to steal your credit card data, two researchers presented the PoC at the HITB.

Crooks are using the NFC capability of Android smartphone to steal your credit card data, it’s scaring but true.

But first let’s introduce the Near field communication (NFC) as “a set of standards for mobile devices designed to establish radio communication with each other by being touched together or brought within a short distance. The NFC standard regulates a radio technology that allows two devices to communicate when they are in close proximity, usually no more than a few centimeters, allowing the secure exchange of information.”

“Each full NFC device can work in three modes: NFC Card Emulation; NFC Reader/Writer; and NFC peer-to-peer (P2P mode):

• NFC Card emulation mode enables NFC-enabled devices such as smartphones to act like smart cards, allowing users to perform transactions such as payment or ticketing.
• NFC Reader/writer mode enables NFC-enabled devices to read information stored on inexpensive NFC tags embedded in labels or smart posters.
• NFC peer-to-peer mode enables two NFC-enabled devices to communicate with each other to exchange information in an adhoc fashion.”

Since Android phones have come with NFC 2-3 years ago that lead to an increase in the use of NFC technology and it has been used by Google wallet lately, Android pay, and many others.

When the NFC is activated, small amounts of data are transferred between the devices that are connected, making one of the strongest points of this technology, but at the same time the weakest point that could be exploited by hackers.

How can hackers steal your credit cards using NFC?

As you know there has been some search about NFC relay attacks which can lead to data corruption, spoofing, man-in –the-middle attacks, as cyber security expert Pierluigi Paganini shows us very well in but all this attacks were difficult to perform and to be successful because it requires the devices to be near to each other, but that may change with the discovery of the researcher Michael Roland, who found that installing a Trojan relay in Android smartphones can facilitate the things, since the attacker can start Google Play using the NFC capabilities.

When realizing the issue, Google patched the problem, but when researching once again, Rodriguez and Vila discovered that NFC in an Android device could be used to steal credit cards that the victim as in his pocket, think about it, how many times your phone is close to your wallet? Too many times I am sure.

Attack scenario

For the hacker to pull off this attack he needs a POS machine that it’s able to accept NFC payments and an Android phone with NFC, running Android 4.4 KitKat or above.

Now we get back to the relay attacks, where the attacker will forward an entire wireless communication over a large distance (NFC only allows small distance transmissions), he will be doing that by using the concept of the “the honest prover, the honest verifier, the dishonest prover and the dishonest verifier”

• Dishonest prover and verifier will fool the honest verifier and prover
• Your credit card is your honest prover
• The POST terminal is the honest Verifier
• The attacker’s NFC Android phone is the dishonest prover
• Your phone is the dishonest verifier

The difficult part of the attack is how to attract the victim into downloading an app, but assuming that the attacker was successful and the victim has the “bad” app, the app will start checking the environment around the smartphone to see if there is any credit card (of course that depends your wallet is near enough to the phone to the app to be successful).

Once the credit card is detected, the app sends a message over the victim smartphone’s internet to the attacker’s smartphone. Since now the attacker received the message in his Android phone, he just needs to come close the POS machine, for the POS machine to be able to do the illegal monetary transaction.

The researchers Jose Vila and Ricardo J. Rodrıguez presented the “Relay Attacks in EMV Contactless Cards with Android OTS Devices” at the hacking conference HACK IN THE BOX, in Malaysia. The experts made a PoC using a Nexus 5 (dishonest prover) and Sony Xperia S (the dishonest verifier).

Even if exists a restriction in the amount of money that can be stolen (around $50), and after some transitions is required a PIN, this should be enough to put us on alert, and since it’s an early research, more breakthroughs can be made, improving attacks and making them simple, and if join to all this the fact the NFC is becoming “bigger” and widely used we may have here the receipt for a disaster.

“Be aware of the apps you are installing on your device – don’t use apps that haven’t been approved in the Google Play store or that are from an alternative market. If you aren’t using NFC for other stuff, just deactivate it by default. That way the application must ask you to activate NFC and if an unauthorized usage, then you will know it.” Rodriguez told to iDigitalTimes:

Enjoy the presentation here,  or give a look to the technical whitepaper.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs –  NFC,  hacking)