M-Commerce Insecurity Is Outrunning Mobile Payments

Written by Frank Hayes
February 2nd, 2011

Think mobile payments are safe today because they’ve barely gotten off the ground? We should be so lucky. Graduate students at Indiana University have developed an ingenious technique for stealing payment-card numbers as a user is speaking or punching them into an Android-based smartphone.

The approach, which the grad students call “Soundminer,” uses speech recognition, signal processing and social engineering to sneak past all the current malware protections on smartphones. And they’ve managed to do all this before the mobile-payments business has really gotten started.

To be fair, the Indiana grad students also make suggestions for how smartphone makers can lock down their phones to avoid these types of problems. But it’s frustrating to realize that while banks, card processors and smartphone vendors are deadlocked as they dither about who will get what piece of the action in mobile payments, others are taking smartphones seriously as tools for stealing payment-card information. At this rate, thieves will be highly experienced in stealing card numbers from smartphones long before the payments industry finally decides on divvying up the money and gets around to looking at security.

Actually, Soundminer is designed to do something much harder than hacking into the types of mobile-payments applications we’ve already seen. It keeps track of what phone numbers have been dialed, so it knows when the smartphone user has called a bank or credit-card company. Then it uses speech recognition to verify that the user has entered the interactive voice response (IVR) system.

When the IVR instructs the user to speak or punch in the payment-card number, just that much is recorded through the phone’s microphone. (The microphone shouldn’t be able to capture the touch-tones when a number is punched in, but the students discovered that’s possible after all.)

Then the card number is converted to a short string of digits (either using speech recognition or signal processing). That string can be passed to a companion piece of malware one bit at a time, through techniques such as sending the operating system signals to turn the smartphone screen off and on rapidly. It’s too quick for the screen to actually react, but just slow enough that the other malware can get the message and then send the card number out to the Internet.

Yes, it sounds like a kludgy, Rube-Goldbergian way to steal payment-card information. But that’s the level of ingenuity that’s already being aimed at smartphone thievery. By the time contactless payments finally get a foothold, thieves will have years of experience on smartphones. And compared to Soundminer, simply infecting a phone with malware that eavesdrops on a single mobile-payments application to steal card numbers will be a piece of cake.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.