A billing operations manager
Mind the Gap - more threats to NFC
Alex Leslie - 16/01/12
In the second quarter of 2011, comScore reported that 32.5 million Americans accessed mobile banking information on their mobile devices, a 21% increase from the fourth quarter of 2010. Now, almost 14 percent of all U.S. mobile subscribers access banking information through their devices, according to comScore.
MasterCard and mFoundry, who already provides mobile banking solutions for more than 560 banks and credit unions, will collaborate to provide mobile phone operators an application that supports Mobile PayPass, which uses NFC technology, which will allow them to offer mobile contactless payments to their customers, providing an even greater opportunity to put mobile payments in the hands of consumers. In fact, the booming technology of Near Field Communications (NFC) transactions that enable contactless and mobile payments will take the USA by storm, with mobile payments predicted to reach $630 billion by 2014. This is simply too tempting for the bad guys.
The fact is that NFC is not very secure. One Colin Mulliner from the University of Berlin has been hacking NFC devices since 2008 . NFC devices seem to be a perfect platform for attacking other devices.
A successful relay attack requires no special hardware for the NFC mobile phones; instead it only required installing a mobile phone app to turn the off-the-shelf NFC mobile phones into both a proxy-token and a proxy reader. The authors of ‘Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones’ wrote, “The attack implementation required no unlocking of devices or secure elements, no hardware or software modification to the phone platform, and minimal knowledge of the data that was to be relayed. Neither was there any need to access the mobile network or any related services, and we utilized devices of a form factor accepted by merchants.”
With the acceptance that fraud is an attack on an admin process we can conclude that there must be a physical record for such an attack to be uncovered. As Dale Youngs of Subex says, “as with Bluetooth, there are no records, there is simply an air gap.”
The gap must be plugged.