June 6, 2019
The Inconvenience of Convenience- WST
This week’s security tip reminds us that convenience can be fraught with pitfalls. And that the software and hardware that we so readily rely upon as a society in general, is by no means perfect. Because it’s designed and manufactured by the most imperfect thing in existence. Us.
Researchers at Waseda University, Japan, recently published a report on the exploitation of near field communication technology provided with most smartphones sold today. You may recognize NFC technology as being used for everything from device-to-device data transfer, to electronic payments ala Apple Pay, Android Pay, and Google Pay used at gas stations across the country every second of every day.
The exploit is being called “Tap ‘n Ghost” and Seita Maruyama demonstrated the exploit at the 2019 IEEE Symposium using readily available hardware, and Bluetooth and Wi-Fi technologies. Waseda’s researchers were able to exploit NFC and capacitive touchscreen technology to emulate phantom and redirected screen taps to force a connection to an access point. The access point could then be used allow further attacks with the intent of gaining access to data or remote command and control of the device. The scenario included an unknowing smartphone user sitting at a restaurant table that had been modified with the hacking technology which was then used to compromise the device.
Although researchers provided countermeasure recommendations directly to many device manufacturers, at the time of this writing, there were no immediate or clear responses or temporary security recommendations from those manufacturers. This author has disabled NFC on his Android device until further information is available.
If you are a Bank supporting NFC payment options alongside your e-banking solution and you’re wondering what to publish within your Customer Awareness Program pursuant to FFIEC II.C.16(a) guidelines, this would be a good one.
Would you like to know more about “Tap ‘n Ghost”? https://www.youtube.com/watch?v=phuiwh7djQM