Known NFC spoofing techniques probably wouldn't work with Apple Pay

Apple Pay is poised to turn how we pay for goods at a retail store on its head. The new Apple Pay system lets you make purchases with the cards in your iTunes Store account. When you bring your iPhone 6 near an NFC-equipped payment terminal, you'll see your cards in Passbook, and you can authorize a transaction with the Touch ID fingerprint reader. That's it, you're done, and none of your sensitive credit card information was ever shared directly with the merchant.

Near-field communication, or NFC, isn't a new technology, and hackers have had plenty of time to develop hardware that sniffs out the signals as they're wirelessly transmitted from your phone to a reader. While some security experts I spoke to insist that these known vulnerabilities could apply to Apple Pay transactions, they also admitted that Apple's use of one-time-use tokens instead of your actual credit card information would render these hacks pretty toothless.

How spoofing would work

Spoofing an NFC transaction involves creating a dummy reader--say, another smart card or a smartphone--that sniffs out a close-by signal and steals the data during a transaction.

Hector Hoyos, the CEO of Hoyos Labs, a digital infrastructure security company that makes a biometric device for ATMs, says there is a known hack for NFC that uses off-the-shelf radio receivers anyone can buy at Radio Shack. Using this home-built reader, a hacker standing near the Apple Pay terminal could intercept the signal.

"A radio sniffer could work if someone was standing right behind you from a foot or two away," says Hoyos. He even suggested the spoof is one of the reasons why Google Wallet, which also relies on NFC, never went mainstream--although there isn't known video evidence that Google Wallet has been hacked this way.

Other methods require physical access. Satnam Narang, the Security Response Manager at the Symantec Security Technology and Response (S.T.A.R.) division, says there is a known hack related to NFC transactions, but it requires that the hacker install a piece of malicious code on the phone first.

Narang says one known vulnerability called a relay attack uses smartcards, which are basically credit cards that store data and use an NFC chip. A hacker creates a "proxy" card that can intercept the signal from a "mole" (the real card). However, even then, he says there has to be a physical tap with the fraudulent card.

Another security analyst said NFC spoofing is possible. Jeff Williams, CTO of Contrast Security, a Web application security provider, says that a widely available reader using the Arduino microcontroller can intercept NFC signals from a meter away or more. He says several exploits for NFC in smartphones have been found.

Tokens, not account numbers

Still, even if a hacker could snag your transaction data as it passes from your iPhone to the terminal, they'd get a single-use token with nothing to identify you by name. Connecting that to the credit cards stored securely by Apple might not be impossible, but the experts we spoke to agree that it's a lot harder than just stealing some credit card numbers.

Narang points out that Apple Pay uses an account code that refers to a credit card number not stored on the phone, so the hacker would only obtain a useless account number. This "tokenization" is one of the strengths of the new Apple Pay system and intended to dissuade hackers.

Williams agrees that stolen Apple Pay data would likely be useless. "The use of one-time tokens instead of revealing actual credit card information has the potential to make these intercepted signals useless to attackers. The use of Apple's fingerprint Touch ID technology adds another layer of authentication to the mix, potentially further frustrating attacks," he says.

Hoyos is a little more uncertain. He claims that it's possible for hackers to correlate spoofed account tokens to credit card data stored on Apple's actual servers, and points to the recent breach of celebrity photos from iCloud backups as precedent. (But the two situations aren't comparable, and Apple hasn't had credit card accounts stolen before.) Hoyos even claims that it's possible to purchase a mylar replication of a fingerprint, then use it with Touch ID to complete transactions--but of course that would require stealing the phone and getting a fingerprint, and the whole plan is foiled as soon as the person you stole the phone from deactivates it as an Apple Pay device using Find My iPhone.

Apple did not respond on the record to inquiries about Apple Pay security but did point to online documentation for Apple Pay that explains the tokenization process. Apple Pay launches Monday in the United States with the release of iOS 8.1.

Join the CSO newsletter!

Error: Please check your email address.

Tags NFCAppleretailsecuritymobile paymentfinanceindustry verticalsApple Pay

More about AppleGoogleNFCSymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place