News / Nation

Researchers warn of loophole in mobile payments

Xinhua
  21:35 UTC+8, 2017-09-28       0
A major loophole in mobile payment systems has been discovered by researchers from the Chinese University of Hong Kong, who made their findings public Thursday.
Xinhua
  21:35 UTC+8, 2017-09-28       0

A major loophole in mobile payment systems has been discovered by researchers from the Chinese University of Hong Kong, who made their findings public Thursday.

The discovery was made by the System Security Lab led by Professor Kehuan Zhang from the university’s computer science and engineering department, which analyzed various major mobile payment systems for security vulnerabilities.

In mobile payment transactions, the key to communications between the payer and payee is a payment token issued by the payment service provider to verify the payment.

Some of the most widely adopted forms of transmitting these tokens include Near-Field Communication, Quick Response code scans and Magnetic Secure Transmission.

According to Zhang, whose team has spent two years conducting an in-depth study into these payment systems, apart from NFC, the formats support one-way communication only.

In other words, if the transaction fails, the payee’s device is unable to notify the payer and cancel or reclaim the token already issued, a loophole that an active adversary can exploit.

In regard to QR code scanning, a popular format of token verification, the study has revealed that a malicious device is able to sniff the token from the payee’s screen from afar and spend it on a different transaction.

As for MST function uniquely used by Samsung Pay, payers are required to place their handsets within a 7.5 centimeter distance of the payees’ POS (point of sale) for identification.

But after a series of tests, the team discovered that the magnetic signals can be picked up from 2 meters away. A criminal in a supermarket queue could seize the opportunity to attack and steal the token.

The team has notified relevant third party payment platforms and Zhang reminded mobile payment users to stay alert and avoid downloading mobile apps from unknown sources.

The result of the study was also released at the 26th USENIX Security Symposium, an annual academic conference on Internet security, held last month in Vancouver, Canada.

Source: Xinhua   Editor: Wei Ran
Samsung

Special Reports

EXPLORE SHINE

News

In Focus

Metro

Nation

World

Sport

Biz

Economy

Tech

Auto

Company

Property

Finance

Event

Video

Feature

Art & Culture

Travel

Lifestyle

Taste

Entertainment

Wellness

MENTAL

Book

Education

iDEALShanghai

Opinion

Regions

Special

Projects

Follow Us

About Us  |  Contact Us  |  Feedback  |  Privacy Policy  |  Terms of Use
沪ICP证:沪ICP备05050403号-5  |  互联网新闻信息服务许可证: 31120180004  |  网络视听许可证:0909346  |  广播电视节目制作许可证:沪字第354号  |  增值电信业务经营许可证:沪B2-20120012
Copyright 2020 © Shanghai Daily. All Rights Reserved. Hotline: 8621-52920043

沪公网安备 31010602001940号

Copyright 2019 © Shanghai Daily All Rights Reserved.

沪ICP证:沪ICP备05050403号-5  |  互联网新闻信息服务许可证: 31120180004  |  网络视听许可证:0909346  |  广播电视节目制作许可证:沪字第354号  |  增值电信业务经营许可证:沪B2-20120012

沪公网安备 31010602001940号
Search
breaking news in China
News
Biz
Video
Opinion
Feature
Regions
Top