After spending a few days around Security Week (BlackHat, Defcon, BSidesLV) last week, I was constantly amazed at the excitement and innovation around security. Unfortunately, most of this focused on the attack side, but nevertheless, it will drive security thinking forward (which is what we want!).
wi-fi, by poloballs
Several researchers focused on Near Field Communication (NFC) implementations as this technology is quickly becoming embedded in many mobile devices. While you may not be an NFC expert, you certainly have used NFC before. Think about any time you have used your credit card in a contactless way, paid for transport in London with an Oyster card, or even started your new automobile, you are using a form of NFC. Businesses want NFC because it offers (in some cases) better authentication of payment devices, easier ways to interact with customers (with minimal intrusion), and can potentially serve to increase efficiency on both sides of the relationship. As with most technological innovations, the business will get very creative in ways to monetize it.
But as with most technological innovations, implementation is often more important than design (see WEP/RC4). Researchers last week showed how implementing an NFC interface to a smartphone can potentially be disastrous for its owner. In this case, the software behind the hardware was the problem, and software manufacturers must be vigilant in their quest for releasing stable, secure products.
Another researcher at DEFCON demonstrated quite the opposite where he used a smartphone’s NFC technology to capture payment information from a contactless payment instrument, store it, and then replay it to complete a transaction. This is not a new attack as we’ve seen the replay of RFID before, but it’s a much stealthier attack as everything is contained within the phone. Imagine walking by someone and pushing “attack” on your phone’s software moments before the swing of your arm matches up with the swing of the leg where he pockets his wallet. Quickly and stealthily interrogating the payment instruments and using them to buy things later.
If nothing else, this demonstrates that you should be personally vigilant on watching every charge posted to your accounts, setting up lots of alerts to monitor strange behavior, and disable anything you are not actively using. If you are concerned about people stealing your payment information, you can put your cards into paper-thin shields that will prevent someone from interacting with it, or simply request a card that does not have the contactless technology embedded in it.
Possibly Related Posts:
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- PCI DSS 4.0 Released plus BOOK DETAILS!
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug