Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday April 07 2018, @06:43AM   Printer-friendly
from the pown-ur-fone dept.

Submitted via IRC for SoyCow8317

Paying for stuff with your smartphone is downright dangerous according to Zhe Zhou, a pre-tenure associate professor at Fudan University, who yesterday explained how three different payment methods can be cracked at Black Hat Asia in Singapore.

In a talk titled "All your payment tokens are mine: Vulnerabilities of mobile payment systems", Zhe said mobile payments have two weaknesses: tokens aren't encrypted; and tokens aren't tied to a single transaction, so can be re-used and/or hijacked.

Zhe explained that mobile payments see smartphones generate a one-time token that's passed to a point of sale terminal. Once the token's exchanged and verified by a payments server somewhere, it won't be accepted again. The trick to using harvested tokens is therefore to stop them ever making it to the point of sale terminal, then to use that token for another transaction of higher value before it expires.

[...] Zhe's most devious attack targeted the QR codes used as tokens for some payments. His tactic for such tokens was to surreptitiously turn on a smartphone's front-facing camera to photograph the reflection of a QR code in a point of sale scanner's protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code.

Source: https://www.theregister.co.uk/2018/03/23/mobile_payments_token_interception_talk_black_hat_asia/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by pipedwho on Saturday April 07 2018, @09:08PM

    by pipedwho (2032) on Saturday April 07 2018, @09:08PM (#663805)

    All your payment tokens are belong to us...

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2