How safe is data on your smart phone app, not as safe as you think. Using smart phones as a payment system may have its risks.
Security researchers demonstrated that a Wrong OAuth 2.0 implementation allows a remote simple hack that exposes more than 1 Billion Android App Accounts.
A remote simple hack devised by a group of security researchers threatens an amazing number of Android and iOS apps. An attacker can use the technique to sign into any victim’s mobile app account without any knowledge of the legitimate user.
The research team from the Chinese University of Hong Kong is composed of Ronghai Yang, Wing Cheong Lau, and Tianyu Liu. The experts discovered that the vast majority of popular mobile apps that use the single sign-on (SSO) service doesn’t properly implement the OAuth 2.0 protocol.
The OAuth 2.0 authentication protocol is widely used on social networking sites, every day billion of users access their profiles on Facebook and Google+ using it.
Using the OAuth 2.0, users can sign in for third-party services by verifying existing identity through their accounts on popular web services such as Google, Facebook, or Sina.
Once authenticated, the users haven’t to provide their credentials to access other services implementing the OAuth 2.0 protocol.
With RFID contactless payment bank cards and travel cards like Oyster cards, accidental contactless payments can easily happen, just by having your purse or wallet within range of a card terminal or access gate, also known as “card clash”. These type of convenient payment cards do not need the users to input or authorise the transaction with a pin, users are unable to stop this happening without already having bought RFID protection or shielding.
What you should do when an accidental contactless payments happens
Make a note of date and time and location of the accidental contactless payment/transaction takes place, keep any used tickets and receipts incase the service refuses to refund.
Find your nearest member of staff or information point and ask for information about disputing the contactless transaction error. Not all members of staff may know what to do, if this happens ask for complaints or general enquiries telephone numbers and contact them.
If you are using a travel service in London like the bus, Tube, tram, DLR, London Overground, TfL Rail, Emirates Air Line, River Bus and National Rail and have an online account. Login and check to see if you have been incorrectly charged. Note the transaction and register the dispute with Transport for London online. Or alternatively contact them by telephone 0343 222 1234 (call charges apply)
If you are using Oyster card pay-as-you-go it is harder to prove ownership of the card when the transaction happened, so it is important you dispute the payment as soon as it happens with a member of staff.
If you are unable to resolve the issue with the retailer or travel service, contact your bank with full details of the contactless payment and why you dispute the contactless payment giving full information, the bank can look into accidental payments on your behalf with the retailer/service.
How to prevent accidental contactless payments using RFID bank cards
Most RFID contactless payment terminals work at short ranges, so keep your purse and wallets at least 20cm (8 inches) away from the terminal. Hacked or altered terminals and specialist readers can read up to 1.5m or further.
Banks can send out VISA /Mastercards without contactless payment RFID chip included, contact your bank and ask for one if you really do have concerns, but you will lose the convenience contactless payment brings.
Purchase a good quality RFID protected wallet or purse.
It must protect/shield 13.56 Mhz RF frequency, all contactless payment cards use this international standard, if you have security cards or keyless passes these typically use 125 khz. These are usually premium products and cost a bit more than a normal leather wallet or purse.
It is possible to render you bank card unable to use contactless payments by drilling through the chip inside the card. This is not recommended as you could damage the card so it is completely unusable, if you do this you will have to order another card from your bank and that could take time.
A Faraday cage can block accidental contactless payments, and RFID payment cards. Conductive material such as aluminium foil, conductive paint, wire mesh, or any of a number of material can block radio frequencies, different materials are better and worse at blocking different frequencies, and the Faraday cage has to completely enclose the cards. So, no leaks or gaps, will mean no radio waves can get in or out, blocking the RFID signal. This method takes out the convenience out of contactless payment, it can work, but it’s not so easy to use.
How to get your money back
If you believe you have been a victim of card fraud always, contact your bank immediately and to quote the Payment Services Regulations. These say that you must be refunded immediately if you are a victim of fraud.
If the bank can show that you were careless with your card and PIN or password, you will be liable for a maximum of £50, although many banks and building societies will waive this.