Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday April 07 2018, @06:43AM   Printer-friendly
from the pown-ur-fone dept.

Submitted via IRC for SoyCow8317

Paying for stuff with your smartphone is downright dangerous according to Zhe Zhou, a pre-tenure associate professor at Fudan University, who yesterday explained how three different payment methods can be cracked at Black Hat Asia in Singapore.

In a talk titled "All your payment tokens are mine: Vulnerabilities of mobile payment systems", Zhe said mobile payments have two weaknesses: tokens aren't encrypted; and tokens aren't tied to a single transaction, so can be re-used and/or hijacked.

Zhe explained that mobile payments see smartphones generate a one-time token that's passed to a point of sale terminal. Once the token's exchanged and verified by a payments server somewhere, it won't be accepted again. The trick to using harvested tokens is therefore to stop them ever making it to the point of sale terminal, then to use that token for another transaction of higher value before it expires.

[...] Zhe's most devious attack targeted the QR codes used as tokens for some payments. His tactic for such tokens was to surreptitiously turn on a smartphone's front-facing camera to photograph the reflection of a QR code in a point of sale scanner's protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code.

Source: https://www.theregister.co.uk/2018/03/23/mobile_payments_token_interception_talk_black_hat_asia/


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by black6host on Saturday April 07 2018, @07:35AM

    by black6host (3827) on Saturday April 07 2018, @07:35AM (#663701) Journal

    Those piece of shit (POS) scanners always screw things up! Seriously though, I have no mobile payments apps installed. Hope I never have to.

  • (Score: 3, Insightful) by MichaelDavidCrawford on Saturday April 07 2018, @07:37AM (2 children)

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Saturday April 07 2018, @07:37AM (#663702) Homepage Journal

    ... asked the salesboy when I purchased my Mac mini.

    "No."

    Gentlemen prefer cash.

    --
    Yes I Have No Bananas. [gofundme.com]
    • (Score: 1, Insightful) by Anonymous Coward on Saturday April 07 2018, @07:54AM (1 child)

      by Anonymous Coward on Saturday April 07 2018, @07:54AM (#663708)

      True gentlemen just sign up a check. Or pay in diamonds.

      • (Score: 3, Interesting) by kazzie on Saturday April 07 2018, @12:41PM

        by kazzie (5309) Subscriber Badge on Saturday April 07 2018, @12:41PM (#663728)

        Excuse me sir, do you have change for a Cullinan? [wikipedia.org]

  • (Score: 5, Insightful) by frojack on Saturday April 07 2018, @08:00AM (9 children)

    by frojack (1554) on Saturday April 07 2018, @08:00AM (#663710) Journal

    If you've already got your malware on someone's phone, there's no reason to be fafing about with qr codes. Just take the credit card data and transmit it to the mother ship and run away.

    I've never seen a qrcode being used as a payment transaction. To ring up the items you intend to purchase, perhaps, but not as a financial transaction.

    Payment is done via NFC between the phone and the terminal, and it uses a temporary credit card number that is good for exactly ONE sale. Which means it's safer than your physical credit card.

    The story sounds fake or it's been "journalismed" into unfathomable pin-headery.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 4, Informative) by TheRaven on Saturday April 07 2018, @06:56PM (8 children)

      by TheRaven (270) on Saturday April 07 2018, @06:56PM (#663775) Journal

      I've never seen a qrcode being used as a payment transaction. To ring up the items you intend to purchase, perhaps, but not as a financial transaction.

      In China, it's very common to use QR codes, because the most common method of payment is a chat app that incorporates a payment mechanism by generating and scanning QR codes. It's done that way to support cheap phones that don't have NFC hardware, but it's not very secure. In the west, phone payments piggyback on the EMV system and so are required to comply with a bunch of banking regulations, which mandate at least a token effort towards security.

      --
      sudo mod me up
      • (Score: 0) by Anonymous Coward on Saturday April 07 2018, @09:37PM

        by Anonymous Coward on Saturday April 07 2018, @09:37PM (#663815)

        So what you are saying is this has no effect on USA based system. Good to know.

      • (Score: 2) by darkfeline on Saturday April 07 2018, @09:38PM

        by darkfeline (1030) on Saturday April 07 2018, @09:38PM (#663816) Homepage

        China has a stupendous number of stupid ideas, so this revelation is of minimal value to everyone else. Things like QR codes for payment as you mention, face recognition for fining jaywalkers, the lovely national Citizen Score, digital services and social media and news that are completely controlled by the government (and make Facebook look incompetent at being evil), the entire ecosystem built around WeChat, the not-Uber clone DiDi Chuxing, and so on.

        --
        Join the SDF Public Access UNIX System today!
      • (Score: 2) by archfeld on Sunday April 08 2018, @07:31PM (5 children)

        by archfeld (4650) <treboreel@live.com> on Sunday April 08 2018, @07:31PM (#664041) Journal

        How can the retailer set a price if the QR code placed by the manufacturer is used as price point ? Seems like an idea that would float in an economy that was dominated by government sponsored manufacturing and not by market set pricing. Not to mention everyone would have to have a device capable of reading a QR code. Which I and many 'older' folks don't have smart devices.

        --
        For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
        • (Score: 2, Disagree) by TheRaven on Monday April 09 2018, @08:14AM (4 children)

          by TheRaven (270) on Monday April 09 2018, @08:14AM (#664288) Journal
          The QR code isn't placed by the manufacturer, it's displayed on the POS terminal (which might be a cheap Android phone). The seller displays a QR code, the buyer scans it, checks the information and hits 'pay' and the app sends the money.
          --
          sudo mod me up
          • (Score: 2) by archfeld on Monday April 09 2018, @06:58PM (3 children)

            by archfeld (4650) <treboreel@live.com> on Monday April 09 2018, @06:58PM (#664607) Journal

            Umm who prints the QR code on the packaging ? It isn't a sticker it is part of the original package. Maybe the end retailer can assign additional values to it in their local DB or some such thing but I know for sure Target is not applying the QR code sticker to a bag of Cheetos.

            --
            For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
            • (Score: 3, Informative) by TheRaven on Tuesday April 10 2018, @10:51AM (2 children)

              by TheRaven (270) on Tuesday April 10 2018, @10:51AM (#664881) Journal
              I think we're talking at cross purposes. In QR-code based payment systems such as the one in TFA, the relevant QR code is presented on the POS terminal and scanned by the phone. There are other bar codes or QR codes to identify items, but these are scanned by the POS terminal, they are not part of the payment system.
              --
              sudo mod me up
              • (Score: 2) by archfeld on Tuesday April 10 2018, @06:38PM (1 child)

                by archfeld (4650) <treboreel@live.com> on Tuesday April 10 2018, @06:38PM (#665053) Journal

                Ahh OK. Lacking a smart device I've obviously missed something. I'll do some reading....Thanks and Cheers

                --
                For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
                • (Score: 2) by TheRaven on Wednesday April 11 2018, @06:54AM

                  by TheRaven (270) on Wednesday April 11 2018, @06:54AM (#665265) Journal
                  It may also be 'not living in China'. I've only ever seen these when I visited Xi'an, though apparently they're very common throughout China. The rest of the industrialised world uses NFC for smart device payments, but the Chinese system (which is part of their dominant IM platform) was designed to work with very low-end devices so that poor people could use it for peer-to-peer transactions.
                  --
                  sudo mod me up
  • (Score: 5, Insightful) by Bot on Saturday April 07 2018, @11:45AM

    by Bot (3902) on Saturday April 07 2018, @11:45AM (#663721) Journal

    the one time token should also encode the transaction details, so that another recipient or another sum fails. It is irrelevant when the phone is owned and the phone CANNOT BE MADE SECURE, so in the end it is all fluff, though.

    --
    Account abandoned.
  • (Score: 2) by pipedwho on Saturday April 07 2018, @09:08PM

    by pipedwho (2032) on Saturday April 07 2018, @09:08PM (#663805)

    All your payment tokens are belong to us...

(1)