We all know that NFC can be used to make mobile payments, a feature that may become the technology’s “killer app”. We’ve even seen NFC on phones used to receive such payments, as with PayPal’s NFC-supporting app. Smartphones aren’t the only things being used for these kind of wireless payments, though, and many recent credit and debit cards support similar RF-based systems. Could we maybe get smartphones and these cards talking directly to each other? One security researcher has managed to do just that, and his results are sure to give pause to anyone carrying around such a wireless payment card in their pockets.
Thomas Skora’s app, available now in the Google Play store, is capable of reading embedded data off certain wireless-enabled payment cards. That can include critical information like credit card numbers and expiration dates. Skora makes clear that this is a technical demonstration, and not intended for committing any sort of card fraud, but that doesn’t make its capabilities any less frightening.
Granted, a PIN is needed to complete many transactions, and this attack won’t reveal such data, but the thought that the rest of it appears to be so readily accessible is still troubling.
If you’ve got an NFC-capable Android phone, and at least a passing knowledge of German (in which the app is released), you might be interested in trying the app out with your own cards just so you have a realistic idea of exactly how exposed your own information is.
The full source code to the app is available on github, just in case you’re worried that it’s doing anything nefarious with your data. The app’s still a bit buggy and is very much a work-in-progress, but it’s a sobering reminder of the consequences of wireless technology, all the same. How much longer until crooks are casually walking down the street, apparently innocently texting away on their phones, while actually scanning for your card details?