3 Replies - 765 Views - Last Post: 31 July 2016 - 02:00 PM

#1 T-Duck   User is offline

  • D.I.C Head

Reputation: 5
  • View blog
  • Posts: 61
  • Joined: 16-December 13

NFC Code Injection/Reading (Idea)

Posted 30 July 2016 - 07:42 PM

Hi Guys

This idea dawned on me the other day. It has to do with the every growing rise in the "Tap and Pay" era of commerce. That being just tapping your card or phone onto the terminal acts as the payment method.

I may be completely wrong about this, but wouldn't it technically be possible to use your android device (with a modified version of a banking app or create your own app) or NFC/RFID tag to have the machine read code from your phone/tag that could be malicious in some way.

What I mean is, at least how I understand it, is when you tap and pay for a purchase the machine will read two things from the input device (phone or card)
These being:
  • The IP address/Destination of the bank (as different cards belong to different banks, so the request has to know where its going)
  • The account number of the user

When the payment is being processed, the machine reads those two items and packets it with the cost and then sends it to the bank which then either sends back a positive or negative response regarding the transaction.

My idea is this. Keeping in mind that the machine may (or may not) read these items. I have two ideas which could be security flaws (if tested)

1) Re-routing. So when a phone is tapped, instead of giving the terminal the address of the banks transaction handling server, it give the destination of another 3rd party server which would bounce back a positive request. Thus spoofing that the purchase was successful.

2) The request never leaves the machine.
This idea is that when the phone is tapped on the terminal it reads code which essentially tells the terminal to not even try to send the request, but instead act like it is (display sending request on screen like normal), But then time out and display successful.

I wanna know what you guys think about these ideas (I mean I am no security expert, I'm sure some one here is)

Have a good day

Is This A Good Question/Topic? 0
  • +

Replies To: NFC Code Injection/Reading (Idea)

#2 modi123_1   User is offline

  • Suitor #2
  • member icon

Reputation: 14158
  • View blog
  • Posts: 56,748
  • Joined: 12-June 08

Re: NFC Code Injection/Reading (Idea)

Posted 30 July 2016 - 08:03 PM

You are wrong about the majority of that. Tap and pay only provides an increased reason to pay for small ticket items that you would normally pay in bills or change for. It works nearly identical to swiping in that the bank information is housed in the merchant processing side and not with the card information. To be exact - what bank it is is part and parcel with the card number.
Was This Post Helpful? 0
  • +
  • -

#3 jon.kiparsky   User is offline

  • Beginner
  • member icon

Reputation: 11093
  • View blog
  • Posts: 18,981
  • Joined: 19-March 11

Re: NFC Code Injection/Reading (Idea)

Posted 31 July 2016 - 01:31 AM

You seem to be assuming that you have control of the merchant's POS system. If you have that, yes, you could do a lot, but I assume you wouldn't stop at getting a few free items at the counter.
Was This Post Helpful? 0
  • +
  • -

#4 tlhIn`toq   User is offline

  • Xamarin Cert. Dev.
  • member icon

Reputation: 6535
  • View blog
  • Posts: 14,450
  • Joined: 02-June 10

Re: NFC Code Injection/Reading (Idea)

Posted 31 July 2016 - 02:00 PM

So far wrong on so much. Just a suggestion: Do some reading/research instead of just guessing that you know some of it. There is so much material out there about the spefications for digital payment protocols. There's no need to guess. There's no need to be so lazy as to ask others to research it for you.

Not to mention a little bit of common sense goes a long way. Do you really think the likes of Apple, Google and Samsung with all their resources and people on it would back such a technology if it were as easy as you seem to think to break it? Really? You don't think if it were that easy that someone on the actual projects would have seen it long before you or me?
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1