back to article Reflection of a QR code on PoS scanner used to own mobile payments

Paying for stuff with your smartphone is downright dangerous according to Zhe Zhou, a pre-tenure associate professor at Fudan University, who yesterday explained how three different payment methods can be cracked at Black Hat Asia in Singapore. In a talk titled “All your payment tokens are mine: Vulnerabilities of mobile …

Silver badge
Pint

Tokens "...when a card is swiped..."

"Swiping" a payment card usually refers to running the magnetic strip through the PoS terminal. I had always assumed that the magnetic strip is essentially used as read only, effectively a bar code. True?

"Bonk to pay" is the El Reg approved term for the RFID contactless method. That, as well as the Smartcard contacts, could enable tokens.

Perhaps I'm confused...

7
0
Silver badge

Re: Tokens "...when a card is swiped..."

I was confused over MST/NFC too. Hadn't heard of MST before. Happily, Sammy has what looks to be a reaonable explanation at https://www.samsung.com/us/support/answer/ANS00043949/

So MST is a contactless way of replicating an actual swipe.

Me though, I prefer bonking.

7
1

Re: Tokens "...when a card is swiped..."

Not all PoS support bonking yet here in China. And since bonking is processed by a different (and less mature) system than MST here in China, it's very often to run into PoS that can only work with MST or contact chip.

4
0

Re: Tokens "...when a card is swiped..."

We Chinese are used to use the word "swipe" for all kinds of transaction forms, including but not limited to NFC, MST, QR code, contact chip and sonic.

4
0

Re: Tokens "...when a card is swiped..."

Bonking might lead to other MST issues... Its the French acronym for STDs (Maladies Sexuellement Transmissibles)

5
0
Devil

Bravo!

Zoom and enhance is no longer a cliche, it's an attack vector

11
0

All your payment tokens are mine

Calls himself a hacker, surely "All your payment tokens are belong to us" would've been a far more fitting title..

15
0
Silver badge
Coat

Re: All your payment tokens are mine

But then people would have thought he was Russian, and well, you know where that leads!

2
5
Silver badge

Re: All your payment tokens are mine

The "All your X are belong to us" phrasing is based on a bad translation from Japanese. Russian has nothing to do with it.

10
1
Silver badge
Facepalm

Re: All your payment tokens are mine

Was it? Shit, now I look a proper tool :)

7
0
Silver badge

"This attack also detects the configuration of the QR code and subtly changes its appearance"

How does it do that if it's simply watching the reflection of the code? Fire the flash somehow? But that would be noticed.

3
0
Meh

Good research, but...

... some of the scenarios are somewhat constructed.

His tactic for such tokens was to surreptitiously turn on a smartphone’s front-facing camera to photograph the reflection of a QR code in a point of sale scanner’s protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code.

OK, so the targeted phone has already been compromised to such a level that the attack app has control over the screen. What's the point then to use the camera to try and catch the code? Why not just get it from a screengrab?

The technique can also be used to craft malicious QR codes that, when used for smartphone-to-smartphone payments, see the victim machine directed to download and run malware.

That's a vuln in the target smartphone's payment app. If it expects a payment token, and gets a "http:..." instead, it probably won't blindly say "oh, hey, why not, let's visit that site..."

All interesting techniques, and good that he did that research, but not very close to see that in the wild. Way more likely (and easier) to attack the payment service (for example with POS malware) directly.

13
0
Silver badge

How can you challenge/response with a QR code?

Or a mag stripe? Maybe it could work with sonic payments, though I have no idea how they work (never heard of them until now) so who knows.

Not sure what the point was of the researcher suggesting a remedy that's clearly impossible. The whole point of Samsung doing their mag stripe thing was to allow Samsung Pay to work with old swipe only readers. If they were going to be upgraded to be able to respond they might as well upgrade them to do NFC.

4
0
Silver badge
Joke

Re: How can you challenge/response with a QR code?

Or a mag stripe? Maybe it could work with sonic payments, though I have no idea how they work (never heard of them until now) so who knows.

I suppose that the POS could ask for a pin, although the idea here is that you wave the phone at the terminal and go, rather than interacting with it. I suppose it's better than asking you to video yourself doing the chicken dance in the store and uploading that as a response.

3
0
Silver badge
Pint

How to retrofit bonk-pay to your existing Smartphone

Slip your existing bonk payment card in between the back of your smartphone and a suitable leather phone case.

4
0
Silver badge

Re: How to retrofit bonk-pay to your existing Smartphone

That can lead to scratching the phone. A better option may be to grab a sticker/coffecup/keyring/wristband/ring with the chip in from your provider of choice e.g. https://www.optus.com.au/shop/mobile/phones/wearables/optus-pay, https://www.westpac.com.au/personal-banking/mobile-wallets/paywear/, or www.inamo.com. In Australia at least. Not sure about other countries.

1
1
Silver badge

Re: How to retrofit bonk-pay to your existing Smartphone

That can lead to scratching the phone.

Scratching the back of the phone? Oh no!

Also, what kind of phone do you have which can be scratched by a plastic credit card? Is the case made of unfired clay? (Try the new Samsung Adobe!) Chocolate? (When the Godiva Phone stops working a year after you bought it, you can eat the delicious case!)

Personally, I don't use NFC payment anyway. But if I did, I certainly wouldn't be worried about scratching the back of my phone.

2
0

A big part of the problem here, seems to be that these retailers are using "PoS terminals". Maybe they should spend more money andto buy terminals that aren't pieces of shit.

3
2

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018