Your NFC capable Android smartphone could be the newest weapon hackers use to steal money from the credit cards in your pocket, according to researchers. In a presentation at Hack In The Box Security Conference in Amsterdam, security researchers Ricardo J. Rodriguez and Jose Vila presented a demo of a real world attack, to which all NFC capable Android phones are vulnerable. This attack, delivered through poisoned apps, exploits the NFC feature allowing unethical hackers to steal money from victims’ credit cards anytime the cards are near the victims’ phone.
What is NFC?
Near Field Communication or NFC is a short-range contact-less communication system that uses wireless data to allow various technologies in in close proximity to each other to communicate without the need for an Internet connection. An NFC chip acts as one part of a wireless link. NFC is the primary technology that allows for features like Android Beam. Android Beam allows Android users to swap pictures or contacts by holding two devices together. NFC technology has been increasingly used in cashless payment systems such as Google Wallet and now Android Pay.
NFC evolved from radio frequency identification (RFID) technology. An NFC chip, which can be found in most Android smartphones released in the last 2-3 years, acts as one one part of a wireless link. Once it’s activated by another NFC chip, small amounts of data between the two devices can be transferred when they are held a few centimeters from each other.
How it can be used to steal your information
These kinds of attacks have often been considered difficult to perform, because it required having two devices very close in proximity to one another. In 2013, however, researcher Michael Roland found that by installing Trojan relay software on a victims’ Android phone, the attacker could initiate Google Pay payments using the NFC properties in the victims’s device. When Google was made aware of this weakness, they were quick to patch the problem. With this latest research, however, Rodriguez and Vila found that hackers could utilize the NFC property in the victim’s phone to steal money from the physical credit cards in his or her pocket, rather than through Google Pay, when the cards come in contact with the victim’s phone. If you think of how often your wallet is near your phone, the instance for attack becomes much more probable.
How to prevent your phone from being hacked
So how can users protect themselves from NFC attacks? Rodriguez shared this advice with iDigitalTimes: “Be aware of the apps you are installing on your device – don’t use apps that haven’t been approved in the Google Play store or that are from an alternative market. If you aren’t using NFC for other stuff, just deactivate it by default. That way the application must ask you to activate NFC and if an unauthorized usage, then you will know it.”