Phone Maker HTC Breaks Its Own Security. These Are The Guys Who Will Help Bring Us Mobile Payments?

Written by Frank Hayes
October 5th, 2011

Even as retailers and customers ramp up for mobile commerce, some smartphone makers still don’t have a mindset that’s ready for handling payments. On Tuesday (Oct. 4), handset vendor HTC admitted that an application built into some of its Android phones could leak sensitive user information—such as GPS data, E-mail account information and potentially even payment-card numbers—to malware that could get the data without a password or any special permissions except the right to connect to the Internet.

The specific information that HTC’s logging software collects isn’t tremendously sensitive—we’re talking location, not payment-card numbers. However, the fact that megabytes of data are being scooped up by the phone’s maker, but not secured by even a password, is a sign that smartphone vendors still assume a phone is just a phone—instead of a combination payment terminal, mobile wallet and M-Commerce browser.

According to security researcher Trevor Eckert, who discovered the HTClogger software on his HTC Evo phone, the built-in software captures information on how long apps are used, phone identity, IP addresses, GPS location, mobile networks detected (Wi-Fi and Bluetooth) and contents of application clipboards. (You copied a payment-card number to the clipboard? It’s just been captured.) But once collected, none of the information is password-protected, and any app with permission to connect to the Internet—a very common permission for apps—can query the log files. (The supposedly secret HTClogger even has a help function that lists all available query commands.)

A week after Eckert reported the vulnerability to HTC (and a day after he went public with the information), the handset maker issued a statement that “while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application.” The company said no customers had reported attacks and it plans to issue a patch in short order.

A patch is good, but that’s still the wrong mindset for a device that can carry so much genuinely sensitive information. How would customers know their phones had been compromised if an innocent-appearing game with no special permissions silently copied the information that HTClogger collected and sent it across the Internet? Waiting for customers to tell you that you’ve built a security hole into your phones is not the way to show you’re ready to handle mobile payments.

Ignoring a non-public vulnerability report from a security researcher isn’t helping your customers, either. Most “white hat” hackers will keep vulnerabilities quiet if a vendor asks for time to fix a problem. They’ll even help a vendor to re-create the problem and explain how it can be exploited. All a vendor has to do is ask.

And when a phone maker has actually broken its own security by adding logging software, that phone maker needs all the help it can get. Yes, that’s right—all the information exposed by the logging app was originally secured and required special permission to access—until HTC added the logging software to the phone.

Worse still, once HTC added the logging software to its phones, the only way for a user to get rid of the insecurity would be to “root” the phone—that is, make it less secure.

That logging software was intended to keep the phone running well by detecting problems quickly. That’s a very reasonable purpose. But there’s just too much data flowing through a phone today for a handset maker to get sloppy.

Ironically, the security built into the Android operating system may have helped foster that security-blind mindset among the phone’s developers. Maybe they think they don’t have to worry about security, because the OS is locked down. But that’s a deadly assumption—as every retailer knows, it only takes one security-unconscious associate to blow a hole in carefully devised security defenses.

No wonder the PCI Council doesn’t want to touch the problem of approving mobile devices. Until handset developers start to think less like phone makers and more like cashiers, they won’t be ready for mobile payments anyway.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.