Dialing For Dollars: Credit-Card Smartphones Pose New Risks
UPDATE: On Thursday, May 26, Google announced "Google Wallet," which gives smartphones the ability to pay for purchases in stores, like credit cards. But there are dangers involved with this technology. Here's a story we ran in February about the security risks of near-field communications (NFC) smartphones.
The possibility of having a cell phone hacked doesn't create much anxiety, if all that's compromised are your Facebook friends and some salacious photos and inappropriate text messages.
Yet if that same phone were also a digital wallet and an electronic credit card , you could be out a whole lot of money. Experts worry that that's what we're heading for as the next generation of handsets enables you to pay by phone.
"The technology is new, so it's not entirely clear what the security ramifications will be," says Kevin Mahaffey, co-founder and chief technology officer of San Francisco-based Lookout Mobile Security. "But there are real businesses being built out there designed to attack software like this. It's not kids in their garages."
Are smartphones smart enough to be credit cards, and perhaps even more?
Smartphones are already commonly used to manage some financial tasks, such as online banking . But companies such as Google, Apple, Samsung and Nokia aim to cut out credit cards and cash entirely by making phones that can handle in-store purchases.
Such wallet phones are common in parts of Asia. Security analysts believe their arrival in the U.S. market, expected in the next few years, could open up new avenues for fraud.
Right now, there are two leading ways a phone can interact with a cash register.
In January, Starbucks launched the Starbucks Card Mobile App, which lets U.S. customers pay for coffee and other in-store items with iPhones or BlackBerry smartphones. The app generates a barcode that can be read by a cash register's scanner. Funds are deducted straight from a Starbucks account, replenished via credit card or PayPal.
The dominant pay-by-phone technology, however, is likely to be near-field communication (NFC). A special chip built into the phone uses short-range wireless signals to send credit or debit card information directly to compatible check-out terminals or, in one trial program, hotel guest-room locks.
Google's Nexus S phone, on the market since December, is one of the first NFC-enabled phones to be widely available in the U.S. Nokia has pledged to make all its upcoming phones compatible with forthcoming NFC standards.
The biggest breakthrough for NFC may come later this year. Apple's next-generation iPhone 5 will have an NFC chip built in, according to rumors.
Mahaffey points out that the extra chip required for NFC on top of the cellular, Wi-Fi, Bluetooth and GPS chips -- adds a layer that could offer opportunities for hackers.
Security researchers have already demonstrated how a version of the Jailbreakme.com exploit for iPhones can be used to secretly install a rootkit and then tap into debit- and credit-card transactions. There are also some rare cases of user data being stolen via unauthorized apps.
To attack NFC transactions, however, hackers will have to use more sophisticated techniques. Mahaffey believes that once serious amounts of money begin to flow through these transactions, it will attract the attention of organized cyberthieves.
There's the so-called man-in-the-middle attack, Mahaffey explains. In such a case, someone with an NFC reader would stand near the victim during a transaction and simply relay communications back and forth to the targeted terminal.
Some forms of authentication protocols can prevent such an attack, but it raises new security issues.
"The NFC part has to worry about smartphone issues, and smartphones have to now worry about NFC issues," Mahaffey said.
As phones become ever-more complex hand-held computers, that means increased opportunities for vulnerabilities and security holes.
Furthermore, whereas in a corporate or enterprise environment an IT department can push out software updates, it can be difficult to patch problems on millions of individually registered consumer phones.
On the other hand, when credit card fraud occurs now, the victim has to report the breach, and then wait several days until a new card arrives.
In the future, eliminating the threat may be as easy as updating a phone's software.