Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Known NFC spoofing techniques probably wouldn't work with Apple Pay

John Brandon | Oct. 21, 2014
Security experts admitted that Apple's use of one-time-use tokens instead of your actual credit card information would render hacks due to NFC vulnerabilities pretty toothless.

mcdonalds apple pay

Apple Pay is poised to turn how we pay for goods at a retail store on its head. The new Apple Pay system lets you make purchases with the cards in your iTunes Store account. When you bring your iPhone 6 near an NFC-equipped payment terminal, you'll see your cards in Passbook, and you can authorize a transaction with the Touch ID fingerprint reader. That's it, you're done, and none of your sensitive credit card information was ever shared directly with the merchant.

Near-field communication, or NFC, isn't a new technology, and hackers have had plenty of time to develop hardware that sniffs out the signals as they're wirelessly transmitted from your phone to a reader. While some security experts I spoke to insist that these known vulnerabilities could apply to Apple Pay transactions, they also admitted that Apple's use of one-time-use tokens instead of your actual credit card information would render these hacks pretty toothless.

How spoofing would work
Spoofing an NFC transaction involves creating a dummy reader--say, another smart card or a smartphone--that sniffs out a close-by signal and steals the data during a transaction.

Hector Hoyos, the CEO of Hoyos Labs, a digital infrastructure security company that makes a biometric device for ATMs, says there is a known hack for NFC that uses off-the-shelf radio receivers anyone can buy at Radio Shack. Using this home-built reader, a hacker standing near the Apple Pay terminal could intercept the signal.

tim cook nfc
SCREENSHOT. Apple CEO Tim Cook shows off a slide of companies that signed on to support Apple Pay in stores. 

"A radio sniffer could work if someone was standing right behind you from a foot or two away," says Hoyos. He even suggested the spoof is one of the reasons why Google Wallet, which also relies on NFC, never went mainstream--although there isn't known video evidence that Google Wallet has been hacked this way.

Other methods require physical access. Satnam Narang, the Security Response Manager at the Symantec Security Technology and Response (S.T.A.R.) division, says there is a known hack related to NFC transactions, but it requires that the hacker install a piece of malicious code on the phone first.

Narang says one known vulnerability called a relay attack uses smartcards, which are basically credit cards that store data and use an NFC chip. A hacker creates a "proxy" card that can intercept the signal from a "mole" (the real card). However, even then, he says there has to be a physical tap with the fraudulent card.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.