Mobile ‘Wallets’ Attract Greater Interest From Thieves, Researchers

As mobile phones allow us to carry our money in an electronic “wallet,” they will also become a greater target for crooks. Picking a pocket is a risky endeavor for a thieves, but it will be much less so if all they need to do is bump into their victims or brush by them with a mobile phone.  Thieves are now more likely to go after both mobile payment software and phones enabled with near-field communications (NFC). However, things are not so bad; security researchers proof-of-concept (PoC) attacks against Google Wallet and Square’s credit card readers have prompted improvements in security.

Square credit card reader with American Express card

Square's credit card readers recently added encryption for credit card data.

Security researchers have already tested Square’s credit card readers, using exploits and keyloggers to intercept credit card numbers as they pass to their mobile phones. Square has now added encryption to new versions of its credit card reader. Does that mean that they’re completely secure? Not necessarily. Security researcher Adam Laurie is taking a closer look. Laurie has a large amount of experience in reverse-engineering embedded systems and RFID hardware. His research includes finding vulnerabilities in hotel room safes, RFID passports, and chip and PIN credit cards. As word of the new, more secure Square readers arrived, he posted an open request on Twitter. This can only be good for the security of the mobile payment system.

Researcher Adam Laurie requesting one of the new encrypted Square readers from his Twitter followers.

Researcher Adam Laurie requests one of the new encrypted Square readers from his Twitter followers.

NFC-enabled contactless (“tap and pay”) credit cards are also at risk from an attacker with a specially crafted app and NFC-enabled mobile phone. Researchers at viaForensics have demonstrated a PoC NFC reader Android app that can grab the information on your credit card just by placing the phone nearby. An attacker can walk through a crowd and collect numbers and expiration dates from numerous victims. The CVV2 and other card verification numbers aren’t included, so it is more difficult for a criminal to resell stolen credit card information. Generally the CVV2 number, printed on the back of credit cards, is used to verify that online transactions are being made by someone who has the actual card. Most online shopping sites won’t allow a purchase if the customer doesn’t have that number. However, this didn’t stop viaForensics’ partner, the UK’s Channel 4 News, from being able to use this minimal card information on a popular online shopping site.

These latest phone enhancements have inspired an increasing interest in mobile payment security from both the bad guys and security researchers.

Cracking Open Your (Google) Wallet

We suggested earlier that instead of going after the Secure Element chip and the information it keeps safe, attackers would go after the weaker point of the Google Wallet app. Security researcher Joshua Rubin has now created a proof-of-concept app, Google Wallet Cracker, that can recover the Google Wallet PIN on a rooted phone.

Once attackers get your PIN, they have full access to any credit card information stored in the app and they can use your phone to make purchases. As a user of Google Wallet, the main security you see is the PIN. What makes Wallet easy for you to use now makes it easy for attackers to use; they can now spend your money and credit just as if your phone were an ATM card.

How It Works
The vulnerability involves storing an encrypted hash of the Google Wallet PIN in a database that belongs to the app. Because it’s not stored in the Secure Element chip, the only protection is Android’s user ID-based “sandboxing.” Normally malicious apps can’t access files belonging to another app, but once the phone is rooted that protection and any others are gone.

Google Wallet Cracker app checks whether the phone is rooted.

In this case an attacker with root access can reverse-engineer the Google Wallet app’s database format and extract the hashed PIN.

The Cracker app extracts the encrypted hash of the Google Wallet PIN.

Because the PIN is a four-digit code, an attacker can generate all possible PINs (0000-9999), hash them, and compare against the extracted PIN. On a real phone this takes about four seconds.

The Cracker app displays the recovered Google Wallet PIN four seconds after the app was started.

How Do We Stay Safe?
Currently only Nexus S or Galaxy Nexus users can run Google Wallet. Rubin has responsibly disclosed the vulnerability to Google and the company is now working on patching Android to prevent such attacks. The Google Wallet Cracker is not publicly available.

Google Wallet users can take a number of steps to protect themselves:

  • Use a lock code/password, swipe pattern, or face unlock
  • Keep your phone close and in your possession. If attackers don’t have physical access to your phone, they can’t install malicious apps or spyware.
  • Install antivirus software on the phone to protect against unwanted root exploits and spyware


McAfee Labs Assists in Rare Cybercrime Conviction

As we have discussed on this blog more than once, convictions for cybercrime activities are a rare thing indeed. Recently, however, a former University of Salford (United Kingdom) student was convicted and given a suspended sentence for stealing online gaming credentials.

The University of Salford contacted the police after it received a complaint from a U.S. resident regarding the theft of personal details. The police worked with the academic institution and with McAfee Labs to gather evidence. The police asked us to perform an analysis on the malware and our very own Alex Hinchliffe assisted!

Congrats to Alex, the U.K. police and the University of Salford on a job well done. This is the kind of teamwork that we can all learn a lesson or two from.

Read the full account at ZDNet UK.

The Dangers of Shared Devices and Exec Lounges

One of the perks of travel is access to Executive Lounges. One of the perks of Executive Lounges is that they often have VERY cool devices on display for the weary traveler to use. In one particular lounge I am currently in resides a very nifty Motorola XOOM:

As I am in Korea at the moment the first thing I had to do was change the default language to English (which I admit took more than a few minutes) and then I decided that I would try to take a LONG stroll through the inner workings of this ‘droid. I had figured the device would be locked down to some extent and that I would have to get a bit creative….

Talk about being wrong.

I am kinda torn on the idea of shared devices. It’s great to have access to cool technology in a lounge or a store but you would kind of hope there would be SOME kind of protection or device management/lockdown going on. Who in their right mind would log into a wide open device and use it for their private email, twitter or Facebook use right? I think you guessed…. quite a few people.

This particular XOOM (and there were several in this lounge as well as at least one Motorola ATRIX) had what you would expect: Twitter, YouTube, FaceBook and such. All of these has multiple logins with the account data saved (which I will NOT show for obvious reasons) but in truth this was not what surprised me. Poking around I quickly noticed that I had full access to the main account that the device used:

Accessing the account settings I could have easily reset the password:

I also, however had access to the Marketplace account billing information:

Now remember that as I also had access to the main gmail account (the same the Marketplace used) I could have changed the password and began using this account on any Android device I wanted. Marketplace app 0wnage awaits! I should also note that all the devices in this lounge used the same account.

It would have been easy to lay waste to these devices and the pilfer the account used but I am a hacker and I have ethics. Think of the the flip side.

Let this be a lesson to you road warrior travelers out there – be VERY careful when using shared devices in lounges. They are wide open. In many cases they save account information (this one did): email, social media, website logins, etc… So it might be better to avoid using them at all and waiting to use your own devices. If you are going to let others use your device, lock it down!! There are quite a few apps and guides that can walk users of all levels through at least deploying these devices with some level of control.

Time to change language from Korean to English – 5 minutes. Time to get device main account access and full info – less than 1 minute. Advice? Spend MORE than 5 minutes and learn how to manage your devices and its settings. The identity you save just might be your own.