“Foil hats are no longer enough, it's time to wrap a wallet in it”
Recently, we already wrote about the dangers associated with the use of wireless protocols and mobile devices. We continue the topic of talking about NFC. We will not go into theoretical studies in this post, but proceed to a concrete practical implementation. It will be a question of the Android.Ecardgrabber application which is capable to count contactlessly a number of a plastic card, its validity period, and also a number of the user's bank account. 
The NFC standard provides short-range wireless communication (up to 4 cm). Similar types of communication are already used in Russia today. In particular, some banks have issued contactless cards for travel in the metro. There are other similar projects.
I already imagine a picture: the year 2050, the pocket thief of the future carries out petty theft, putting a mobile phone to a passerby’s bag, retrieving credit card information via NFC. So, as one tweeter wrote, "foil hats are no longer enough, it's time to wrap a wallet in it."
')
One German security researcher released an Android application on Google Play that can read a limited number of contactless plastic cards over a radio interface. Contactless plastic cards are usually used for transactions in amounts less than 10 euros without entering a pin code - you just need to bring the card to a point on the sales terminal.
An Android application registered by Symantec under the name Android.Ecardgrabber attempts to read data using the NFC communication protocol. The application was posted on the Google Play service on June 13; from 100 to 500 users managed to download it.
An analysis of the Android.Ecardgrabber code showed that the author made an attempt to extract information from eight different plastic card systems.
According to the author himself, the application was successfully tested with only two plastic card systems, and the development of the code was not completed.
The following systems have been tested:
• MasterCard *
• A European credit card *
• Visa V Pay **
• Cirrus **
• Maestro **
• Visa Electron **
• Visa **
* The author confirmed the successful result;
** Not confirmed, but available in the code.
The application can receive the following information:
• plastic card number;
• The date the card becomes valid;
• Expiry date of the card;
• Bank account number.
Note: No security card retrieval code was found in the code.
Although the application requires the user to install and bring a contactless plastic card to the phone at a distance of no more than 4 centimeters to extract data, it vividly illustrates the vulnerability of this evolving technology. It is easy to imagine a viral application that quietly exists as a background process on a mobile device and slowly communicates with your contactless plastic card in your wallet.
The NFC short-range standard is a new technology that promises to make life easier and more interactive, but now users should also think about security issues that should never be forgotten.
The NFC standard provides short-range wireless communication (up to 4 cm). Similar types of communication are already used in Russia today. In particular, some banks have issued contactless cards for travel in the metro. There are other similar projects.
I already imagine a picture: the year 2050, the pocket thief of the future carries out petty theft, putting a mobile phone to a passerby’s bag, retrieving credit card information via NFC. So, as one tweeter wrote, "foil hats are no longer enough, it's time to wrap a wallet in it."
')
One German security researcher released an Android application on Google Play that can read a limited number of contactless plastic cards over a radio interface. Contactless plastic cards are usually used for transactions in amounts less than 10 euros without entering a pin code - you just need to bring the card to a point on the sales terminal.
An Android application registered by Symantec under the name Android.Ecardgrabber attempts to read data using the NFC communication protocol. The application was posted on the Google Play service on June 13; from 100 to 500 users managed to download it.
Extract information
An analysis of the Android.Ecardgrabber code showed that the author made an attempt to extract information from eight different plastic card systems.
According to the author himself, the application was successfully tested with only two plastic card systems, and the development of the code was not completed.
The following systems have been tested:
• MasterCard *
• A European credit card *
• Visa V Pay **
• Cirrus **
• Maestro **
• Visa Electron **
• Visa **
* The author confirmed the successful result;
** Not confirmed, but available in the code.
The application can receive the following information:
• plastic card number;
• The date the card becomes valid;
• Expiry date of the card;
• Bank account number.
Note: No security card retrieval code was found in the code.
Although the application requires the user to install and bring a contactless plastic card to the phone at a distance of no more than 4 centimeters to extract data, it vividly illustrates the vulnerability of this evolving technology. It is easy to imagine a viral application that quietly exists as a background process on a mobile device and slowly communicates with your contactless plastic card in your wallet.
The NFC short-range standard is a new technology that promises to make life easier and more interactive, but now users should also think about security issues that should never be forgotten.
Source: https://habr.com/ru/post/146766/
All Articles