Filet-O-Phish: Insecure NFC tag relics hidden under Maccas tables McDonald's New Zealand and Australia restaurants reportedly have unused and insecure NFC tags glued under tables. Near Field Communications tags allow devices to read instructions with a tap. Phones must be very close in order to read the tags and the instructions it contains. The McDonald's tags seem to have been installed …
Unless I'm missing something here, what's to stop anyone from taping their own tag under the table, loaded up with a suitably lookey-likey phishing attack ? Or tape some BK branded phish-ware tags under tables in a BK.
(or even ON the table, made to look sufficiently "official" I doubt that it would be detected and scraped off before it could do it's damage)
Quite; this would just be an unremarkable and unnecessarily complicated way of implementing a phishing attack. Could be a NFC tag, but equally could just be a sticker with a QR code, or simply a printed URL with a plausible domain name. This is making a very big deal out of not very much.
Most NFC stickers are too weak to work through anything but the thinnest tables. But you are right, there's probably not a lot stopping someone from sticking Ronald McDonald stickers on top of regular NFC stickers and putting them on top of the table, I doubt the staff would see a few stickers and think "obvious security threat".
I think the point is that customers are directed towards these tags - "Tap here for an awesome fantastic great app that will do loads of cool stuff" printed on the top of the table or whatever. So by leaving them read/write, I could go in, erase the link to the website or app, and program in a link to either something rude, or perhaps a website or app that look right but instead are phishing for something.
Those commenters saying that you could just plaster NFC tags under the tables anyway are missing the key step which is that you'd also have to print out some advertising material directing people there, and there's a decent chance someone in the restaurant would notice that it's not a legitimate bit of POS.
So yes, it is viable that this could be exploited. I probably wouldn't be bothered to write a malicious app, but I would definitely take the five seconds needed to redirect customers to Burger King or something.
"I think the point is that customers are directed towards these tags - 'Tap here for an awesome fantastic great app that will do loads of cool stuff' printed on the top of the table"
Err.. no they're not. Did you see the article?
"...you'd also have to print out some advertising material directing people there, and there's a decent chance someone in the restaurant would notice that it's not a legitimate bit of POS."
You could just use a sticker as someone else has mentioned and I think you overestimate the security vigilance of members of staff.
NFC should have stayed in Warehouses. Been consistently a fail on security and privacy in retail / payments / travel.
QR codes are OK in theory, but should display the REAL URL with a "Do you want to do this dangerours thing?" QR codes are a similar risk to URL shorteners, or HTML where you can't preview link.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
