McAfee warns on Olympic NFC fraud risks

Near-field communication payment trial at Olympics could attract fraudsters

Security software vendor McAfee is warning that the near-field communication (NFC) payment testing at the London Olympic Games at the end of the month could be an open door for fraudsters.

During the Olympics, every competing athlete will receive a special Olympic NFC-enabled Samsung Galaxy SIII phone to pay for items for the duration of the event. However, McAfee is warning that the technology is still immature and could be an attack vector for fraudsters.

NFC payment technology enables people to pay for low-value items by radio communication when an NFC-enabled device with an ‘electronic wallet' application is brought within a few centimetres of a payment terminal.

"When we last looked at NFC phones and similar apps, there were questions of whether an attacker could go after the apps or the phone hardware and the Android operating system," wrote Jimmy Shah, a mobile security researcher at McAfee, in a blog post.

"Since then we have seen a PIN-reset vulnerability that allowed an attacker to use the free prepaid card and the ability to crack PINs on the phone. Google updated the Wallet app to fix those vulnerabilities and make attacks much harder," he added.

"Now attackers would need to go after the hardware itself, though this does not necessarily involve going after the Secure Element portion. One can get excellent results by targeting the operating system and its NFC-handling libraries."

Indeed, further vulnerabilities have already been uncovered by security researchers. These include "fuzzing the hardware", which involves feeding corrupt or damaged data to an app to discover its vulnerabilities.

Independent security researchers Charlie Miller and Collin Mulliner, in a paper for Black Hat USA 2009, have already demonstrated how "fuzzing" of text messages can help reveal vulnerabilities in both Android and Apple iOS operating systems.

"Mulliner has also looked at fuzzing NFC tags, going as far as developing a Python library and framework for testing older devices. Recently, he updated his software to measure Android devices, allowing him to inject crafted NFC tags to a phone and then monitor the results. He can programmatically feed crafted or damaged NFC tags to Android's library and then capture any crashes or code-execution opportunities."

Security guru Bruce Schneier has also warned that the smartphone will increasingly be an attack vector for fraudsters, especially as a result of the integration of payment facilities into the phone.

"I believe that smartphones are going to become the primary platform of attack for cybercriminals in the coming years. As the phones become more integrated into people's lives - smartphone banking, electronic wallets - they're simply going to become the most valuable device for criminals to go after," wrote Schneier in a blog post late last year.