Stories
Slash Boxes
Comments

SoylentNews is people

Reflection of a QR Code on PoS Scanner Used to Own Mobile Payments

posted by Fnord666 on Saturday April 07 2018, @06:43AM   Printer-friendly
from the pown-ur-fone dept.

MrPlow writes:

Submitted via IRC for SoyCow8317

Paying for stuff with your smartphone is downright dangerous according to Zhe Zhou, a pre-tenure associate professor at Fudan University, who yesterday explained how three different payment methods can be cracked at Black Hat Asia in Singapore.

In a talk titled "All your payment tokens are mine: Vulnerabilities of mobile payment systems", Zhe said mobile payments have two weaknesses: tokens aren't encrypted; and tokens aren't tied to a single transaction, so can be re-used and/or hijacked.

Zhe explained that mobile payments see smartphones generate a one-time token that's passed to a point of sale terminal. Once the token's exchanged and verified by a payments server somewhere, it won't be accepted again. The trick to using harvested tokens is therefore to stop them ever making it to the point of sale terminal, then to use that token for another transaction of higher value before it expires.

[...] Zhe's most devious attack targeted the QR codes used as tokens for some payments. His tactic for such tokens was to surreptitiously turn on a smartphone's front-facing camera to photograph the reflection of a QR code in a point of sale scanner's protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code.

Source: https://www.theregister.co.uk/2018/03/23/mobile_payments_token_interception_talk_black_hat_asia/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Reflection of a QR Code on PoS Scanner Used to Own Mobile Payments | Log In/Create an Account | Top | 16 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by archfeld on Sunday April 08 2018, @07:31PM (5 children)

    by archfeld (4650) <treboreel@live.com> on Sunday April 08 2018, @07:31PM (#664041) Journal

    How can the retailer set a price if the QR code placed by the manufacturer is used as price point ? Seems like an idea that would float in an economy that was dominated by government sponsored manufacturing and not by market set pricing. Not to mention everyone would have to have a device capable of reading a QR code. Which I and many 'older' folks don't have smart devices.

    --
    For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2, Disagree) by TheRaven on Monday April 09 2018, @08:14AM (4 children)

    by TheRaven (270) on Monday April 09 2018, @08:14AM (#664288) Journal
    The QR code isn't placed by the manufacturer, it's displayed on the POS terminal (which might be a cheap Android phone). The seller displays a QR code, the buyer scans it, checks the information and hits 'pay' and the app sends the money.
    --
    sudo mod me up

    • (Score: 2) by archfeld on Monday April 09 2018, @06:58PM (3 children)

      by archfeld (4650) <treboreel@live.com> on Monday April 09 2018, @06:58PM (#664607) Journal

      Umm who prints the QR code on the packaging ? It isn't a sticker it is part of the original package. Maybe the end retailer can assign additional values to it in their local DB or some such thing but I know for sure Target is not applying the QR code sticker to a bag of Cheetos.

      --
      For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge

      • (Score: 3, Informative) by TheRaven on Tuesday April 10 2018, @10:51AM (2 children)

        by TheRaven (270) on Tuesday April 10 2018, @10:51AM (#664881) Journal
        I think we're talking at cross purposes. In QR-code based payment systems such as the one in TFA, the relevant QR code is presented on the POS terminal and scanned by the phone. There are other bar codes or QR codes to identify items, but these are scanned by the POS terminal, they are not part of the payment system.
        --
        sudo mod me up

        • (Score: 2) by archfeld on Tuesday April 10 2018, @06:38PM (1 child)

          by archfeld (4650) <treboreel@live.com> on Tuesday April 10 2018, @06:38PM (#665053) Journal

          Ahh OK. Lacking a smart device I've obviously missed something. I'll do some reading....Thanks and Cheers

          --
          For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge

          • (Score: 2) by TheRaven on Wednesday April 11 2018, @06:54AM

            by TheRaven (270) on Wednesday April 11 2018, @06:54AM (#665265) Journal
            It may also be 'not living in China'. I've only ever seen these when I visited Xi'an, though apparently they're very common throughout China. The rest of the industrialised world uses NFC for smart device payments, but the Chinese system (which is part of their dominant IM platform) was designed to work with very low-end devices so that poor people could use it for peer-to-peer transactions.
            --
            sudo mod me up