Android users can spend their iPhone-owning friends’ money using a new app that can capture NFC payment transaction tokens from other devices and hold onto them before spending them later.
Spot.me allows users to touch an Android device to an iPhone 6 and conduct a payment transaction. From the iPhone user’s perspective, it is a regular transaction and verified with a fingerprint in the usual way.
But at this point, the Android device has captured the iPhone’s transaction token — a proxy for the user’s credit card details, and which does not have a pre-determined value — and can now hold on to it, ready to spend at a later date.
The Android user then just presents their device at a contactless payment terminal in the usual way and the token is used to pay for his purchase.
A video shows the app, which can also be used to grab Google Wallet tokens, in action:
Although a single token can only be used once, they do not expire and can be used in any order, so holding a token for several days before spending it is possible, NFC World understands.
While the authors of the Spot.me app envisage benign uses such as handing a payment token to a friend so they can buy themselves a sandwich, it would also be possible to conduct a relay attack.
“Imagine you’re at a yard sale and you buy something. You’re presented with a device to pay with NFC. How do you know that’s a legitimate terminal, or an app similar to this?” one industry source told NFC World. “Your token could be across the nation and paying for something in a big box store before you got home.”
“We call it the tokin’ bug, because you can pass it around,” quipped the source, who does not wish to be identified.
The app, which can also “lift” tokens from Google Wallet running on another Android device, works because of a legacy issue in readers in the US and Canada. This means that the Visa app in the readers does not include a “terminal random” value when handling transactions.
“Although it’s a reader problem, there is a fix on the token issuer side to prevent this relay. With a fix contained to the mobile device side, readers do not have to be replaced,” Doug Yeager, a tokenization expert and CEO of HCE pioneer SimplyTapp, told NFC World. “Basically, it’s the Visa reader software. That’s where the hole is. But there are mobile device side fixes to get around it.”
“But unless or until a change is made it’s possible to relay all four brands through the Visa hole,” continues Yeager.
Visa is not able to comment at this time, the payments network has told NFC World.