Near-Field Communication (NFC) relay malware has grown massively popular in Eastern Europe, with researchers discovering over 760 malicious Android apps using the technique to steal people's payment card information in the past few months.
Contrary to the traditional banking trojans that use overlays to steal banking credentials or remote access tools to perform fraudulent transactions, NFC malware abuses Android's Host Card Emulation (HCE) to emulate or steal contactless credit card and payment data.
They capture EMV fields, respond to APDU commands from a POS terminal with attacker-controlled replies, or forward terminal requests to a remote server, which crafts the proper APDU responses to enable payments at the terminal without the physical cardholder present.
[...] The apps used to distribute the malware impersonate Google Pay or financial institutions such as Santander Bank, VTB Bank, Tinkoff Bank, ING Bank, Bradesco Bank, Promsvyazbank (PSB), and several others.
(Score: 5, Funny) by Anonymous Coward on Monday November 03, @06:09AM (1 child)
Nobody here has any money to speak of.
(Score: 4, Touché) by turgid on Monday November 03, @02:16PM
That's why they're stealing credit cards, not debit cards.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by Booga1 on Monday November 03, @07:21AM (3 children)
Are people just randomly downloading APKs from scammy sites and installing them? Either these scam sites are fantastic at emulating the real deal, or these people are clueless enough to disable security controls and install anything someone tells them to.
(Score: 5, Interesting) by Mojibake Tengu on Monday November 03, @07:31AM (2 children)
Google is intentionally and willingly collaborating with these criminals.
I reported more than a dozen of these scams directly to Google via proper reporting channels, but only effective result was my IP went listed on public blacklists, obviously as a punishment for being righteous.
For the same model of scam, Google "decided to take action against..." only in about 1/3 of identical cases.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 5, Interesting) by gnuman on Monday November 03, @01:54PM (1 child)
Interesting ... how did you find these apps in the Google Play Store? Can you give an example?
(Score: 1) by shrewdsheep on Monday November 03, @03:04PM
I was also wandering whether we are talking about Google Play or something else. If I use Google Play, the first suggestion is always not what I search for, but an advertised app. I expect a small percentage to install that app either out of interest or by accident. Like with SEO, I would imagine that one can get people to install an app using this Google mechanism. OTHO, the true malware is probably blocked quite quickly in the Play Store, so people seem to click away the untrusted source warning quite casually.
(Score: 5, Interesting) by driverless on Monday November 03, @01:20PM (1 child)
TFA is pretty vague about how this works but it looks like the malware tricks users into using their physical NFC-enabled card with the phone malware acting as a payment terminal [bleepingcomputer.com], or at least a relay to a money mule [bleepingcomputer.com]. So user education could, for once, be effective here, don't do this rather odd thing with your phone and credit card when it asks you to.
(Score: 5, Touché) by JoeMerchant on Monday November 03, @01:49PM
I just recently replaced my wallet with an RFID shield wallet so that I have to physically remove the card from the wallet for the RFID to be read.
Generally, I think RFID is better than chip readers in terms of POS scams where an attacker sticks their own reader in front of the one you think you are using (gas station pumps get this a lot.) But, it's still a potential vulnerability if the attackers can slip their RFID reader in next to a legitimate POS terminal. Hopefully the payment system throttles RFID authorizations to one per minute or something like that, but given the state of the POS payment systems industry, probably not.
🌻🌻🌻 [google.com]
(Score: 3, Insightful) by Anonymous Coward on Monday November 03, @02:55PM
All these kinds of stories are bullshit without named names. The writers are protecting criminals
(Score: 1) by anubi on Tuesday November 04, @01:24AM (1 child)
Wasn't that " tap to pay "?
Seems there oughta be an on-card piezo crystal, sensitive to a sharp mechanical pulse of being struck against the receiver pad, which also contains a piezo crystal, with the two crystals having to report an equal and opposite impact to register a hit.
The phone would have to receive exact timing information about the tap to confirm ok to proceed.
Fabricated ( or nonexistent ) tap response messages sent from the receiver would only cause the phone to play a little . wav file, as they don't correlate with the phone's crystal timing ( nanoseconds ) of its record of the tap. A NFC card in your wallet could still be wakened by a NFC attempt, only to be logged and not validated, as a "holstered" card would never experience sufficient dv/dt to clear threshold to register as a "tap".
Anyone wafting around in public opening up NFC attempts will just set off everyone's phones.
Maybe they could design the cards to be "held a certain way" in order to make them receptive to NFC connection attempts...say a dot on each side of the card...thumb on one dot, finger on the other dot, all other areas of the card clear. Capacitive touch screen technology.
As I watch all those scary TV ads, this is just my take as to how to counter people with sense wands probing my wallet/purse.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by aafcac on Tuesday November 04, @01:52AM
Probably not needing, the authentication tokens time out pretty quickly. It's hard to get the token from the card fast enough to use at a different location. In the rare event that somebody manages it, it's likely cheaper just to refund the charge than to handle the expense of additional measures as there's usually additional features in place to guard against large or unusual purchases on top of the NFC code itself.