Stay calm and carry on, people: It's way too soon to say that NFC should stand for Now Fatally Corrupted. Yes, Google's breakthrough NFC payments app Wallet is being mentioned all over the news thanks to a flaw--it's vulnerable to a hack that gives nefarious types access to your secure PIN number. But don't believe any doomsayers or fearmongering that you may encounter on this matter; it's not as evil as it seems and,What is Faux China chinaceramictile? believe it or not, it's actually a sign that the future of wireless mobile payments is probably more secure than your current credit card.
As reported over at the blog of security firm Zvelo,Why does moulds grow in homes or buildings? Google's Wallet app has a wicked flaw right at its core.Plastic injectionmouldingmanufacturer; Wallet works as a three-way system, you see, with the official app running on your smartphone, a hardware chip inside the phone called the secure element, and the participation of the banks at the other end of the data pipeline (ready to check it's all legit and say "okay" when you swipe your phone at a merchant and say, in effect, "please pay this store $X amount").
The security loophole that Zvelo uncovered comes right at the point that the app talks to the secure element, because as an additional security feature--extra to those in place when you actually pay for something--the secure element requires you to enter a PIN number when you activate it after an interval. Thanks to what looks like a bit of sloppy coding by Google, this PIN is stored in an encrypted form on the phone, and if your phone is rooted then a malicious app could use the phone's own prodigious mobile computing power to crunch the encryption and work out your PIN, in a matter of moments:
This means that if someone got ahold of your phone illegitimately, they could fairly swiftly have direct access to your PIN number and thus activate all the goodies hidden inside Wallet, including your stored credit card numbers and transaction history. That's an opportunity to be pretty evil, right there--though it's worth noting it doesn't affect the wireless payment system security itself.
But here's the thing: Your phone would have to be rooted, meaning you'd adjusted its Android code to allow you deep access to the operating system (not something every, or even most, Android users would ever do). And the thief would have to have direct physical access to your phone for a decent space of time to root it if you hadn't, and to run the special app. Google has already begun work on a fix, subject to a tricky battle with the banks over where responsibility for the encryption should lie .Injection molding and plasticmould supplier; Even Zvelo itself notes that if you're a security-aware Android user you can put many barriers in the way of a thief performing the hack by encrypting the device and by making sure it has effective homescreen password locks.
If you think about it, this is actually an endorsement for the future security of wireless payments. If someone stole your current-generation plastic credit card, then there are none of these "extra" barriers in the way of the thief using it. Google around for news about "credit card theft" and you'll see endless examples all over the world of theft by cloned cards, faked signatures, stolen PINs for chip-and-PIN cards (something the U.S. will have to worry about soon) and so on. A single case in a single U.S. city--New York--in late 2011 involved $13 million in theft using stolen cards over a 16-month interval, and the crime is so common that credit card numbers are sold on the black market through a bizarre criminal "bazaar" for as little as $3.50 a pop. In 2009, it was found that card fraud was the number one fear of Americans, above terrorism, partly because of memories of the global economic crisis.
Your current plastic card, you see, is pretty vulnerable to fraudulent use. Yes, there are plenty of security protocols in place, and the tech to keep them safe is getting better--with chip-and-PIN being perhaps the best at the moment. But as criminal tech exploitation advances, the implications of physically losing your card or having it cloned at a merchant are getting bigger (we won't talk about online fraud--that's a separate issue, related to how we process payments over the web). Even the brand-new NFC credit cards are a little at risk because although they are more secure, if they're stolen then they're more or less as vulnerable as a normal card.Plastic injection molding and injectionmolding parts in as quick at 3 days.
As reported over at the blog of security firm Zvelo,Why does moulds grow in homes or buildings? Google's Wallet app has a wicked flaw right at its core.Plastic injectionmouldingmanufacturer; Wallet works as a three-way system, you see, with the official app running on your smartphone, a hardware chip inside the phone called the secure element, and the participation of the banks at the other end of the data pipeline (ready to check it's all legit and say "okay" when you swipe your phone at a merchant and say, in effect, "please pay this store $X amount").
The security loophole that Zvelo uncovered comes right at the point that the app talks to the secure element, because as an additional security feature--extra to those in place when you actually pay for something--the secure element requires you to enter a PIN number when you activate it after an interval. Thanks to what looks like a bit of sloppy coding by Google, this PIN is stored in an encrypted form on the phone, and if your phone is rooted then a malicious app could use the phone's own prodigious mobile computing power to crunch the encryption and work out your PIN, in a matter of moments:
This means that if someone got ahold of your phone illegitimately, they could fairly swiftly have direct access to your PIN number and thus activate all the goodies hidden inside Wallet, including your stored credit card numbers and transaction history. That's an opportunity to be pretty evil, right there--though it's worth noting it doesn't affect the wireless payment system security itself.
But here's the thing: Your phone would have to be rooted, meaning you'd adjusted its Android code to allow you deep access to the operating system (not something every, or even most, Android users would ever do). And the thief would have to have direct physical access to your phone for a decent space of time to root it if you hadn't, and to run the special app. Google has already begun work on a fix, subject to a tricky battle with the banks over where responsibility for the encryption should lie .Injection molding and plasticmould supplier; Even Zvelo itself notes that if you're a security-aware Android user you can put many barriers in the way of a thief performing the hack by encrypting the device and by making sure it has effective homescreen password locks.
If you think about it, this is actually an endorsement for the future security of wireless payments. If someone stole your current-generation plastic credit card, then there are none of these "extra" barriers in the way of the thief using it. Google around for news about "credit card theft" and you'll see endless examples all over the world of theft by cloned cards, faked signatures, stolen PINs for chip-and-PIN cards (something the U.S. will have to worry about soon) and so on. A single case in a single U.S. city--New York--in late 2011 involved $13 million in theft using stolen cards over a 16-month interval, and the crime is so common that credit card numbers are sold on the black market through a bizarre criminal "bazaar" for as little as $3.50 a pop. In 2009, it was found that card fraud was the number one fear of Americans, above terrorism, partly because of memories of the global economic crisis.
Your current plastic card, you see, is pretty vulnerable to fraudulent use. Yes, there are plenty of security protocols in place, and the tech to keep them safe is getting better--with chip-and-PIN being perhaps the best at the moment. But as criminal tech exploitation advances, the implications of physically losing your card or having it cloned at a merchant are getting bigger (we won't talk about online fraud--that's a separate issue, related to how we process payments over the web). Even the brand-new NFC credit cards are a little at risk because although they are more secure, if they're stolen then they're more or less as vulnerable as a normal card.Plastic injection molding and injectionmolding parts in as quick at 3 days.
沒有留言:
張貼留言