Submitted via IRC for SoyCow8317
Paying for stuff with your smartphone is downright dangerous according to Zhe Zhou, a pre-tenure associate professor at Fudan University, who yesterday explained how three different payment methods can be cracked at Black Hat Asia in Singapore.
In a talk titled "All your payment tokens are mine: Vulnerabilities of mobile payment systems", Zhe said mobile payments have two weaknesses: tokens aren't encrypted; and tokens aren't tied to a single transaction, so can be re-used and/or hijacked.
Zhe explained that mobile payments see smartphones generate a one-time token that's passed to a point of sale terminal. Once the token's exchanged and verified by a payments server somewhere, it won't be accepted again. The trick to using harvested tokens is therefore to stop them ever making it to the point of sale terminal, then to use that token for another transaction of higher value before it expires.
[...] Zhe's most devious attack targeted the QR codes used as tokens for some payments. His tactic for such tokens was to surreptitiously turn on a smartphone's front-facing camera to photograph the reflection of a QR code in a point of sale scanner's protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code.
Source: https://www.theregister.co.uk/2018/03/23/mobile_payments_token_interception_talk_black_hat_asia/
(Score: 2) by black6host on Saturday April 07 2018, @07:35AM
Those piece of shit (POS) scanners always screw things up! Seriously though, I have no mobile payments apps installed. Hope I never have to.
(Score: 3, Insightful) by MichaelDavidCrawford on Saturday April 07 2018, @07:37AM (2 children)
... asked the salesboy when I purchased my Mac mini.
"No."
Gentlemen prefer cash.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Insightful) by Anonymous Coward on Saturday April 07 2018, @07:54AM (1 child)
True gentlemen just sign up a check. Or pay in diamonds.
(Score: 3, Interesting) by kazzie on Saturday April 07 2018, @12:41PM
Excuse me sir, do you have change for a Cullinan? [wikipedia.org]
(Score: 5, Insightful) by frojack on Saturday April 07 2018, @08:00AM (9 children)
If you've already got your malware on someone's phone, there's no reason to be fafing about with qr codes. Just take the credit card data and transmit it to the mother ship and run away.
I've never seen a qrcode being used as a payment transaction. To ring up the items you intend to purchase, perhaps, but not as a financial transaction.
Payment is done via NFC between the phone and the terminal, and it uses a temporary credit card number that is good for exactly ONE sale. Which means it's safer than your physical credit card.
The story sounds fake or it's been "journalismed" into unfathomable pin-headery.
No, you are mistaken. I've always had this sig.
(Score: 4, Informative) by TheRaven on Saturday April 07 2018, @06:56PM (8 children)
In China, it's very common to use QR codes, because the most common method of payment is a chat app that incorporates a payment mechanism by generating and scanning QR codes. It's done that way to support cheap phones that don't have NFC hardware, but it's not very secure. In the west, phone payments piggyback on the EMV system and so are required to comply with a bunch of banking regulations, which mandate at least a token effort towards security.
sudo mod me up
(Score: 0) by Anonymous Coward on Saturday April 07 2018, @09:37PM
So what you are saying is this has no effect on USA based system. Good to know.
(Score: 2) by darkfeline on Saturday April 07 2018, @09:38PM
China has a stupendous number of stupid ideas, so this revelation is of minimal value to everyone else. Things like QR codes for payment as you mention, face recognition for fining jaywalkers, the lovely national Citizen Score, digital services and social media and news that are completely controlled by the government (and make Facebook look incompetent at being evil), the entire ecosystem built around WeChat, the not-Uber clone DiDi Chuxing, and so on.
Join the SDF Public Access UNIX System today!
(Score: 2) by archfeld on Sunday April 08 2018, @07:31PM (5 children)
How can the retailer set a price if the QR code placed by the manufacturer is used as price point ? Seems like an idea that would float in an economy that was dominated by government sponsored manufacturing and not by market set pricing. Not to mention everyone would have to have a device capable of reading a QR code. Which I and many 'older' folks don't have smart devices.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 2, Disagree) by TheRaven on Monday April 09 2018, @08:14AM (4 children)
sudo mod me up
(Score: 2) by archfeld on Monday April 09 2018, @06:58PM (3 children)
Umm who prints the QR code on the packaging ? It isn't a sticker it is part of the original package. Maybe the end retailer can assign additional values to it in their local DB or some such thing but I know for sure Target is not applying the QR code sticker to a bag of Cheetos.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 3, Informative) by TheRaven on Tuesday April 10 2018, @10:51AM (2 children)
sudo mod me up
(Score: 2) by archfeld on Tuesday April 10 2018, @06:38PM (1 child)
Ahh OK. Lacking a smart device I've obviously missed something. I'll do some reading....Thanks and Cheers
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 2) by TheRaven on Wednesday April 11 2018, @06:54AM
sudo mod me up
(Score: 5, Insightful) by Bot on Saturday April 07 2018, @11:45AM
the one time token should also encode the transaction details, so that another recipient or another sum fails. It is irrelevant when the phone is owned and the phone CANNOT BE MADE SECURE, so in the end it is all fluff, though.
Account abandoned.
(Score: 2) by pipedwho on Saturday April 07 2018, @09:08PM
All your payment tokens are belong to us...