The BBC is reporting that the big Home Depot hack attack started in April of this year. It’s scary to think of all the credit card numbers stolen from them, not to mention other victims of similar attacks. The tool often blamed for the attack is “Backoff”. According to an interesting article at American Banker, Backoff is a complex tool than can do more than compromise point-of-sale systems (credit card readers and the associated computing hardware). It is a very nasty and powerful piece of malware.
Some reports have credited the users of Backoff with attacking over 1,000 sites.
I’ve written before about ways we can deal with this issue, one of which is the chip-and-pin system used in other countries. There, credit and debit cards have embedded chips to help ensure the security of the transaction. This is good for both consumers and card issuers. The US system is gradually migrating to such a system and by some time in 2015 we should see chip-and-pin systems widely deployed here in the US.
Just recently Apple announced Apple Pay. It is a system to use the iPhone to communicate with a point of sale device. The system requires the user to provide a fingerprint in order for the transaction to occur. Other countries have a pay-by-phone system for some transactions, but I have never seen one requiring a fingerprint. The operation of Apple’s system is designed for security. The operation is complex, but an overview can be found in an article at bankinnovation.net.
What has me wondering is whether or not Backoff – or a similar tool – could steal the info the phone sends to the NFC (Near Field Communication) reader so the card could be cloned by a bad guy. I’d very much like to see an analysis of the protocol and its vulnerability to impersonation. I suspect it is at least as good as chip-and-pin and perhaps more secure. The trick is that the protocol needs to ensure that there is an actual device there and that it is being used by the authorized user. The latter is presumably solved by the fingerprint, but could some malware allow bypassing the former?
I hope the protocols are secure. I hope Apple Pay succeeds. And I hope the protocols can be used by other vendors so we can have a single system for NFC payments.
What has been your experience with NFC payments? Do you think they can be trusted? Let us know in the comments below.
To your safe computing,