Submitted via IRC for SoyCow8317
Paying for stuff with your smartphone is downright dangerous according to Zhe Zhou, a pre-tenure associate professor at Fudan University, who yesterday explained how three different payment methods can be cracked at Black Hat Asia in Singapore.
In a talk titled "All your payment tokens are mine: Vulnerabilities of mobile payment systems", Zhe said mobile payments have two weaknesses: tokens aren't encrypted; and tokens aren't tied to a single transaction, so can be re-used and/or hijacked.
Zhe explained that mobile payments see smartphones generate a one-time token that's passed to a point of sale terminal. Once the token's exchanged and verified by a payments server somewhere, it won't be accepted again. The trick to using harvested tokens is therefore to stop them ever making it to the point of sale terminal, then to use that token for another transaction of higher value before it expires.
[...] Zhe's most devious attack targeted the QR codes used as tokens for some payments. His tactic for such tokens was to surreptitiously turn on a smartphone's front-facing camera to photograph the reflection of a QR code in a point of sale scanner's protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code.
Source: https://www.theregister.co.uk/2018/03/23/mobile_payments_token_interception_talk_black_hat_asia/
(Score: 2) by archfeld on Sunday April 08 2018, @07:31PM (5 children)
How can the retailer set a price if the QR code placed by the manufacturer is used as price point ? Seems like an idea that would float in an economy that was dominated by government sponsored manufacturing and not by market set pricing. Not to mention everyone would have to have a device capable of reading a QR code. Which I and many 'older' folks don't have smart devices.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 2, Disagree) by TheRaven on Monday April 09 2018, @08:14AM (4 children)
sudo mod me up
(Score: 2) by archfeld on Monday April 09 2018, @06:58PM (3 children)
Umm who prints the QR code on the packaging ? It isn't a sticker it is part of the original package. Maybe the end retailer can assign additional values to it in their local DB or some such thing but I know for sure Target is not applying the QR code sticker to a bag of Cheetos.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 3, Informative) by TheRaven on Tuesday April 10 2018, @10:51AM (2 children)
sudo mod me up
(Score: 2) by archfeld on Tuesday April 10 2018, @06:38PM (1 child)
Ahh OK. Lacking a smart device I've obviously missed something. I'll do some reading....Thanks and Cheers
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 2) by TheRaven on Wednesday April 11 2018, @06:54AM
sudo mod me up