back to article Reflection of a QR code on PoS scanner used to own mobile payments

Paying for stuff with your smartphone is downright dangerous according to Zhe Zhou, a pre-tenure associate professor at Fudan University, who yesterday explained how three different payment methods can be cracked at Black Hat Asia in Singapore. In a talk titled “All your payment tokens are mine: Vulnerabilities of mobile …

  1. JeffyPoooh Silver badge
    Pint

    Tokens "...when a card is swiped..."

    "Swiping" a payment card usually refers to running the magnetic strip through the PoS terminal. I had always assumed that the magnetic strip is essentially used as read only, effectively a bar code. True?

    "Bonk to pay" is the El Reg approved term for the RFID contactless method. That, as well as the Smartcard contacts, could enable tokens.

    Perhaps I'm confused...

    1. Phil Kingston Silver badge

      Re: Tokens "...when a card is swiped..."

      I was confused over MST/NFC too. Hadn't heard of MST before. Happily, Sammy has what looks to be a reaonable explanation at https://www.samsung.com/us/support/answer/ANS00043949/

      So MST is a contactless way of replicating an actual swipe.

      Me though, I prefer bonking.

      1. Field Commander A9

        Re: Tokens "...when a card is swiped..."

        Not all PoS support bonking yet here in China. And since bonking is processed by a different (and less mature) system than MST here in China, it's very often to run into PoS that can only work with MST or contact chip.

      2. Grooke

        Re: Tokens "...when a card is swiped..."

        Bonking might lead to other MST issues... Its the French acronym for STDs (Maladies Sexuellement Transmissibles)

    2. Field Commander A9

      Re: Tokens "...when a card is swiped..."

      We Chinese are used to use the word "swipe" for all kinds of transaction forms, including but not limited to NFC, MST, QR code, contact chip and sonic.

  2. Chozo
    Devil

    Bravo!

    Zoom and enhance is no longer a cliche, it's an attack vector

  3. Sampler

    All your payment tokens are mine

    Calls himself a hacker, surely "All your payment tokens are belong to us" would've been a far more fitting title..

    1. Sir Runcible Spoon Silver badge
      Coat

      Re: All your payment tokens are mine

      But then people would have thought he was Russian, and well, you know where that leads!

      1. phuzz Silver badge

        Re: All your payment tokens are mine

        The "All your X are belong to us" phrasing is based on a bad translation from Japanese. Russian has nothing to do with it.

        1. Sir Runcible Spoon Silver badge
          Facepalm

          Re: All your payment tokens are mine

          Was it? Shit, now I look a proper tool :)

  4. Christoph Silver badge

    "This attack also detects the configuration of the QR code and subtly changes its appearance"

    How does it do that if it's simply watching the reflection of the code? Fire the flash somehow? But that would be noticed.

  5. Frank Bitterlich
    Meh

    Good research, but...

    ... some of the scenarios are somewhat constructed.

    His tactic for such tokens was to surreptitiously turn on a smartphone’s front-facing camera to photograph the reflection of a QR code in a point of sale scanner’s protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code.

    OK, so the targeted phone has already been compromised to such a level that the attack app has control over the screen. What's the point then to use the camera to try and catch the code? Why not just get it from a screengrab?

    The technique can also be used to craft malicious QR codes that, when used for smartphone-to-smartphone payments, see the victim machine directed to download and run malware.

    That's a vuln in the target smartphone's payment app. If it expects a payment token, and gets a "http:..." instead, it probably won't blindly say "oh, hey, why not, let's visit that site..."

    All interesting techniques, and good that he did that research, but not very close to see that in the wild. Way more likely (and easier) to attack the payment service (for example with POS malware) directly.

  6. DougS Silver badge

    How can you challenge/response with a QR code?

    Or a mag stripe? Maybe it could work with sonic payments, though I have no idea how they work (never heard of them until now) so who knows.

    Not sure what the point was of the researcher suggesting a remedy that's clearly impossible. The whole point of Samsung doing their mag stripe thing was to allow Samsung Pay to work with old swipe only readers. If they were going to be upgraded to be able to respond they might as well upgrade them to do NFC.

    1. Alistair Silver badge
      Joke

      Re: How can you challenge/response with a QR code?

      Or a mag stripe? Maybe it could work with sonic payments, though I have no idea how they work (never heard of them until now) so who knows.

      I suppose that the POS could ask for a pin, although the idea here is that you wave the phone at the terminal and go, rather than interacting with it. I suppose it's better than asking you to video yourself doing the chicken dance in the store and uploading that as a response.

  7. JeffyPoooh Silver badge
    Pint

    How to retrofit bonk-pay to your existing Smartphone

    Slip your existing bonk payment card in between the back of your smartphone and a suitable leather phone case.

    1. Phil Kingston Silver badge

      Re: How to retrofit bonk-pay to your existing Smartphone

      That can lead to scratching the phone. A better option may be to grab a sticker/coffecup/keyring/wristband/ring with the chip in from your provider of choice e.g. https://www.optus.com.au/shop/mobile/phones/wearables/optus-pay, https://www.westpac.com.au/personal-banking/mobile-wallets/paywear/, or www.inamo.com. In Australia at least. Not sure about other countries.

      1. Michael Wojcik Silver badge

        Re: How to retrofit bonk-pay to your existing Smartphone

        That can lead to scratching the phone.

        Scratching the back of the phone? Oh no!

        Also, what kind of phone do you have which can be scratched by a plastic credit card? Is the case made of unfired clay? (Try the new Samsung Adobe!) Chocolate? (When the Godiva Phone stops working a year after you bought it, you can eat the delicious case!)

        Personally, I don't use NFC payment anyway. But if I did, I certainly wouldn't be worried about scratching the back of my phone.

  8. DMoy

    A big part of the problem here, seems to be that these retailers are using "PoS terminals". Maybe they should spend more money andto buy terminals that aren't pieces of shit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019