The low-tech exploit makes for amusing reading — and also throws up some important issues for mobile payments. The hack relies on the fact that consumers will often leave their phones on the table when, for instance, visiting the restroom. When they do that, the hacker needs just 90 seconds to capture their Starbucks Card barcode by simply taking a screen shot using a function built into the handset. They can then forward the image to their own handset and use this perfect reproduction of the victim’s card to make payments using their own phone. More worryingly, they can also email the image to as many other people as they like, who can then also charge their purchases to the victim’s prepaid account.
While NFC is not vulnerable to card cloning in the same way, the exploit does provide a timely reminder for those looking to bring NFC services to market. Anyone leaving their NFC phone on the table in a coffee shop — or at their desk, in the sixth form social room or any number of other places — could also have it picked up and used to make fraudulent purchases, at least for low value purchases that don’t require the entry of a PIN. Unlike the Starbucks hack, however, the fraudster wouldn’t be able to transfer the card to another phone in the same simple way.
The hacker, the VP of sales and marketing at a Florida-based POS solutions company, told Mobile Commerce Daily:
Consumers think that if their cards are in their wallet they are safe.
If I physically steal your credit card from your wallet you know it, you know you have been compromised.
Now if you do what I have described, then you have a false sense of security. Your phone is in your pocket but the damage is done.
What is worse is that in the wrong hands your card image could spread worldwide in seconds versus the traditional trafficking of stolen credit card numbers.
Companies need to get smarter about their security, plain and simple. They need to think like thieves to thwart them.
Cops do it everyday. Credit card companies are more reactive than proactive and they need to get smart about it.
Readers can find full details of how the hack is done on Mobile Commerce Daily’s website.