Problems with phones have been very much in the news lately e.g. the Galaxy Note 7 fire risk. Hot on the heels of this comes news from security experts that criminals may be using altered Android phones to steal ‘smart wallet’ personal details from other Android phones in so called ‘tap-and-go’ crimes.
What Is Tap-and-Go?
As an IT Support Company in Hertfordshire we’ve heard of many different attempts to steal data remotely, but the prospect of a person being able to do it using a mobile phone is a little worrying. In this case though the thieves have figured out how to exploit a feature that was added to Android phones to help with the transfer of data.
On Android phones, tap-and-go was introduced to enable people to quickly and easily transfer the data from and old phone to a new phone. The process uses ‘near field communication’ (NFC) technology. NFC is the protocol that allows 2 electronic devices (at least one of them portable) to communicate when they are within approximately 4cm of each other.
The use of smart wallets i.e. using a smart-phone for payment transactions as well as personal details (driver’s license, ID documents etc.) could pose a substantially greater security risk therefore when combined with this new crime risk.
Exploited By Criminals.
As an IT Support Company in Hertfordshire we are very aware of the often sophisticated methods that cyber criminals are now using.
According to Europol’s annual Internet Organised Crime Threat Assessment report, cyber criminals are already making progress in exploiting these new mobile phone technologies and the vulnerabilities to commit tap-and-go fraudulent thefts.
Merchant Out of the Loop.
With a normal card payment system, if a merchant spots a fraudulent transaction they can seize the card thereby stopping any further fraud using that card. If, as with smart wallet style systems compromised card data is stored on a smartphone the power of the merchant being able to confiscate the card and stop further crime is taken out of the loop.
How Does The Crime Take Place?
It is believed that tap-and-go crimes are being operated using software (most likely purchased from the dark web) that can upload compromised card data to Android phones in order to enable them to make payments at any stores accepting NFC payments.
Why Android Phones?
Technical experts have been saying that Android phones are being used in this crime because Google doesn’t prevent third-party apps using a device's NFC chip, and code can be written to get at NFC, WIFI and Bluetooth on Android-based devices.
This is not the case with iPhones because their systems are locked down.
What Does This Mean For Your Business?
Although this crime has been highlighted in the Europol report, it appears as though it is unlikely to be prevalent at this stage and it doesn’t mean that we should stop using Android Pay.
It is important, however, that we should all remain vigilant against unusual transactions. If you have an iPhone it appears of course that you are at much less of a risk of falling victim to this type of crime at the present time.
This story also illustrates how advanced cyber criminals are as they are able to spot and quickly exploit vulnerabilities in very new technologies and protocols.