Three myths about mobile payment security
Yota continues to debunk popular myths, and today we decided to talk about a serious and exciting to many users topic - the security of mobile payments. Paying for purchases using a mobile phone has long become commonplace, and this area is still surrounded by omissions and myths.
Mobile payments using NFC are insecure: attackers can get personal information from a smartphone through a hacked terminal.
')
Near-Field Communication technology, abbreviated NFC, appeared a few years ago, but has already become widespread in large cities. Still: few people like to carry around a bunch of cards, it’s much more convenient to attach a phone to the terminal. Simultaneously with the advent of the new technology, doubts about its safety appeared.
The principle of operation of NFC is based on the work in the near magnetic field of two induction coils. To work, contactless terminal and card must be located at a distance of no more than 5 cm from each other. But that is not all.
NFC-enabled smartphones are equipped with additional security systems. Samsung Pay, Android Pay, Apple Pay applications replace the real card number with the Device Account Number - an analogue, the data of which remains with the seller upon purchase instead of the real data of your bank card. With this data, neither the seller nor the attackers can not do anything.
It turns out, all the data of my cards remain with the phone manufacturer?
Not. After you authorize the card in the system, the company receives the Device Account Number from the bank and links it to the card and phone, but does not save the data of the bank card itself. As a result, the company-developer receives only statistics. And the card data remains with the payment system (Visa or Mastercard), the bank and yours.
Today payments from a smartphone are safer than paying directly from a card. There are several reasons for this:
Attempts to hack NFC payment systems have been made from the very beginning of the spread of technology. Often, hackers train on hacking transport cards for free replenishment: similar incidents happened both in Russia and abroad. However, convincing evidence of hacking has not yet happened.
It is even more difficult with terminals: in order to work and make payments, each cash register must be registered, plus an agreement is drawn up with the acquiring bank, in which the seller's passport details and company details are indicated. Any transaction can be tracked and canceled.
But the fraudsters are not asleep, and have already learned how to steal money directly from the card with the help of self-made readers: they are applied at a distance of 5-15 cm to the card reader and withdraw money everywhere - in the markets, in stores, in public transport. True, it is unlikely that anyone will calmly react if an outsider scans his pocket or card in his hand - therefore, it is easy to protect oneself from such theft if you do not “shine” with your cards for a long time in public places. To do this, even sold special protective wallets - RFID blocking wallet. Well, or you can wrap them in foil - it really works. Foil cap can protect your card, but not your head - do not confuse! :-)
If you hold the phone at the terminal for too long, the money will be removed several times
Unfortunately, a double transaction is a really common type of fraud. In addition, double debiting of funds from an account is often caused by a faulty terminal or a technical failure in a bank. In such cases, the seller himself cancels the payment and the money is returned to the buyer's account. If the fault of the bank, then you need to go there directly - by law, if it is to blame for the illegal cancellation, then the bank is obliged to return this amount with interest.
In all cases, the phone has nothing to do with it, as well as its distance from the payment terminal. The signal is received - the money is written off - the terminal prints a check. If the device is properly and properly connected, then the money will not be written off again.
One-time codes by SMS save from unauthorized transfer of money from the account
Banks often send a one-time security password via SMS to confirm an online payment with an ominous warning DO NOT SHOW THE PASSWORD TO ANYONE.
Since the password is short-lived - its effect is only a few minutes, it is considered that the attacker simply does not have time to intercept the code.
In January of this year, the attackers managed to steal large sums from users' bank cards in Germany, using SS7 vulnerabilities.
Hundreds of home computers were infected by Trojans, who stole linked phone numbers, logins and passwords to access the online bank, after which the attackers transferred the money to their account. The telecom operator, located outside Germany, gave them access to the protocol, the thieves forwarded SMS with a bank password to their number, confirming the payment.
The German mobile operator O2 later confirmed that the unidentified telephone operator was blocked and that the affected customers were informed. But it is not known whether they managed to return the money. It is noteworthy that during embezzlement, the security system of banks did not compromise any payment.
In 2016, the American National Institute of Standards and Technology proposed to abandon text messages for two-factor authentication and replace them with cryptographic security keys that will be stored on secure devices. But so far nothing has changed.
What to do?
Unfortunately, so far banks do not support alternative authentication methods. The only thing that remains is to monitor the security of mobile devices and computers from which you pay for purchases:
Mobile payments using NFC are insecure: attackers can get personal information from a smartphone through a hacked terminal.
')
Near-Field Communication technology, abbreviated NFC, appeared a few years ago, but has already become widespread in large cities. Still: few people like to carry around a bunch of cards, it’s much more convenient to attach a phone to the terminal. Simultaneously with the advent of the new technology, doubts about its safety appeared.
The principle of operation of NFC is based on the work in the near magnetic field of two induction coils. To work, contactless terminal and card must be located at a distance of no more than 5 cm from each other. But that is not all.
NFC-enabled smartphones are equipped with additional security systems. Samsung Pay, Android Pay, Apple Pay applications replace the real card number with the Device Account Number - an analogue, the data of which remains with the seller upon purchase instead of the real data of your bank card. With this data, neither the seller nor the attackers can not do anything.
It turns out, all the data of my cards remain with the phone manufacturer?
Not. After you authorize the card in the system, the company receives the Device Account Number from the bank and links it to the card and phone, but does not save the data of the bank card itself. As a result, the company-developer receives only statistics. And the card data remains with the payment system (Visa or Mastercard), the bank and yours.
Today payments from a smartphone are safer than paying directly from a card. There are several reasons for this:
- No need to enter a pin code,
- You don't shine a map anywhere,
- Mobile payment services require an owner’s fingerprint for authorization,
- Mobile payment services do not have access to a bank account,
- The forgotten password of the payment service cannot be recovered - just register again, after having reset all settings.
Attempts to hack NFC payment systems have been made from the very beginning of the spread of technology. Often, hackers train on hacking transport cards for free replenishment: similar incidents happened both in Russia and abroad. However, convincing evidence of hacking has not yet happened.
It is even more difficult with terminals: in order to work and make payments, each cash register must be registered, plus an agreement is drawn up with the acquiring bank, in which the seller's passport details and company details are indicated. Any transaction can be tracked and canceled.
But the fraudsters are not asleep, and have already learned how to steal money directly from the card with the help of self-made readers: they are applied at a distance of 5-15 cm to the card reader and withdraw money everywhere - in the markets, in stores, in public transport. True, it is unlikely that anyone will calmly react if an outsider scans his pocket or card in his hand - therefore, it is easy to protect oneself from such theft if you do not “shine” with your cards for a long time in public places. To do this, even sold special protective wallets - RFID blocking wallet. Well, or you can wrap them in foil - it really works. Foil cap can protect your card, but not your head - do not confuse! :-)
If you hold the phone at the terminal for too long, the money will be removed several times
Unfortunately, a double transaction is a really common type of fraud. In addition, double debiting of funds from an account is often caused by a faulty terminal or a technical failure in a bank. In such cases, the seller himself cancels the payment and the money is returned to the buyer's account. If the fault of the bank, then you need to go there directly - by law, if it is to blame for the illegal cancellation, then the bank is obliged to return this amount with interest.
In all cases, the phone has nothing to do with it, as well as its distance from the payment terminal. The signal is received - the money is written off - the terminal prints a check. If the device is properly and properly connected, then the money will not be written off again.
One-time codes by SMS save from unauthorized transfer of money from the account
Banks often send a one-time security password via SMS to confirm an online payment with an ominous warning DO NOT SHOW THE PASSWORD TO ANYONE.
Since the password is short-lived - its effect is only a few minutes, it is considered that the attacker simply does not have time to intercept the code.
In January of this year, the attackers managed to steal large sums from users' bank cards in Germany, using SS7 vulnerabilities.
Hundreds of home computers were infected by Trojans, who stole linked phone numbers, logins and passwords to access the online bank, after which the attackers transferred the money to their account. The telecom operator, located outside Germany, gave them access to the protocol, the thieves forwarded SMS with a bank password to their number, confirming the payment.
The German mobile operator O2 later confirmed that the unidentified telephone operator was blocked and that the affected customers were informed. But it is not known whether they managed to return the money. It is noteworthy that during embezzlement, the security system of banks did not compromise any payment.
In 2016, the American National Institute of Standards and Technology proposed to abandon text messages for two-factor authentication and replace them with cryptographic security keys that will be stored on secure devices. But so far nothing has changed.
What to do?
Unfortunately, so far banks do not support alternative authentication methods. The only thing that remains is to monitor the security of mobile devices and computers from which you pay for purchases:
- regularly check your device for malware,
- do not enter card data on other computers and smartphones,
- Use stores that use a secure HTTPS connection,
- To pay for online purchases, it’s better not to use your main card, but to have a virtual card.
Source: https://habr.com/ru/post/343462/
All Articles