USEUROPEAFRICAASIA 中文双语Français
China
Home / China / Society

CUHK researchers discover major loophole in mobile payment systems

Xinhua | Updated: 2017-09-28 17:10
HONG KONG - A major loophole in mobile payment systems was discovered by researchers from the Chinese University of Hong Kong (CUHK), which made the finding public on Thursday.

The discovery was made by the System Security Lab led by Professor Kehuan Zhang from the Department of Computer Science and Engineering at CUHK, which has analyzed various major mobile payment systems for their security vulnerabilities.

In mobile payment transactions, the key to communications between the mobile payer and payee is a payment token that is issued by the payment service provider to verify the payment.

Some of the most widely adopted forms of transmitting these tokens include Near-Field Communication (NFC), Quick Response Code (QR code) scans and Magnetic Secure Transmission (MST).

According to Zhang, whose team has spent two years in conducting an in-depth study into these payment systems, apart from NFC, the remaining formats support one-way communications only.

In other words, if the transaction fails, the payee's device is unable to notify the payer and cancel or reclaim the token already issued, a loophole that an active adversary can exploit.

In regard to QR Code scanning, a popular format of token verification, the study has revealed that a malicious device is able to sniff the token from the payee's screen from afar and spend it on a different transaction.

As for MST function uniquely used by Samsung Pay, payers are required to place their handsets within a 7.5 cm distance of the payees' POS (Point of sale) for identification.

But after a series of tests, the team discovered that the magnetic signals can be picked up from 2 meters away. A rogue in a supermarket queue can seize the opportunity to attack and steal the token.

The team has notified relevant third party payment platforms and Zhang reminded mobile payment users to stay alert and avoid downloading mobile apps from unknown sources.

Editor's picks
Copyright 1995 - 2024 . All rights reserved. The content (including but not limited to text, photo, multimedia information, etc) published in this site belongs to China Daily Information Co (CDIC). Without written authorization from CDIC, such content shall not be republished or used in any form. Note: Browsers with 1024*768 or higher resolution are suggested for this site.
License for publishing multimedia online 0108263

Registration Number: 130349
FOLLOW US