Chinese Researchers Uncover Vulnerability in Mobile Payments
Mobile payments are often touted as more secure than traditional credit card payments, since a dynamic code is used to process the transaction instead of your payment card details. However, researchers from Hong Kong have found there are vulnerabilities with these types of transactions.
The two-year study, conducted by researchers at the System Security Lab at Chinese University, examined four types of data exchange, including near-field communication (NFC), QR code scans, magnetic secure transmission (MST) and audio signals.
NFC transactions, such as those used by Apple Pay and Android Pay were safe, as these types of payments provide two-way communication between the terminal and the device. Thus, if the token has been stolen, the user will get a notification on their device immediately that the payment failed, which will allow them to take action.
The other three forms of mobile payments were vulnerable to hacking. The team found criminals can steal the token involved in MST and audio signal transactions by tampering with the transmission process. Hackers can also gain access to a phone’s camera to record an image of the QR code. Once the token or code is stolen, hackers can use this information to purchase goods.
The team reported the vulnerabilities to China’s lead payment processor Alipay and Samsung, which have reportedly taken action.
The lead researcher, Professor Zhang Kehuan, warns consumers that no type of payment is absolutely secure, so shoppers should remain vigilant.
“As researchers we only identify loopholes and plug them, but we can never guarantee [that more won’t] show up in the future,” Zhang told South China Morning Post.
Zhang warned smartphone users against “jailbreaking” or “rooting” their mobile devices and to avoid using apps from suspicious sources.