Mobile payment card cloning possibilities

Nowadays we are observing very dynamic adoption of mobile contactless payments. These are systems provided by OS manufacturers (Android Pay, Apple Pay, Samsung Pay) as well as apps delivered by banks or 3rdparty payment operators. According to Javelin Strategy & Research study, mobile proximity payments volume is growing exponentially and will reach $92 billion by 2019. Such a move from plastic payment card to its mobile equivalent will probably soon gather an attention of fraudsters. Moreover, we are observing a growing trend in rooting malware on an Android platform. According to Checkpoint research, only one rooting malware campaign last year was able to infect 10 million devices globally.

Nowadays we are observing very dynamic adoption of mobile contactless payments. These are systems provided by OS manufacturers (Android Pay, Apple Pay, Samsung Pay) as well as apps delivered by banks or 3rdparty payment operators. According to Javelin Strategy & Research study, mobile proximity payments volume is growing exponentially and will reach $92 billion by 2019. Such a move from plastic payment card to its mobile equivalent will probably soon gather an attention of fraudsters. Moreover, we are observing a growing trend in rooting malware on an Android platform. According to Checkpoint research, only one rooting malware campaign last year was able to infect 10 million devices globally.

We strongly believe in proactive security. That’s why we decided to research possibilities of cloning mobile payment card data by modern malware and warn early adopters of HCE technology about potential risk and countermeasures. HCE is fully software implementation so it should be quite obvious that having root access to victim’s phone it would be possible to copy payment card data to another device, and use it to make a payment. Both Mastercard and Visa are aware of this risk and they are advising use of additional, external security measures to prevent similar attacks. Unfortunately, we have noticed that most of developers weren’t aware of this risk. Based on several assessments and lab experiments done by our team, we were able to demonstrate mobile payment card cloning in practice. We have cloned card data to other smartphone and used it to make payments.

Published PoC video shows such an attack scenario for Android Pay application, but we have proven that it is also possible for other payment applications delivered by various banks and payment institutions. General HCE cloning techniques are always similar, but there are significant differences between the attacked applications due to different countermeasures and obstacles for each of the researched applications, such as: device fingerprinting and integrity protections. Due to these differences, the cloning process is not universal and it is difficult to perform mass scale attack working out of the box for all implementations. But still, mobile malware could leverage cloning possibility and adapt to given payment application. Exactly in the same way as we are observing in case of internet banking malware.

Commonly used security measures as tokenization or limited use keys are not a sufficient in case of this attack scenario, because a cloned device fully impersonates the original one and will be able to obtain new keys. As a result — the attacker will be able to use cloned card data for multiple transactions below contactless “floor limit” of a single transaction.

It should be emphasized that our PoC was aimed only at verifying the possibility of cloning card data and making single, low amount transaction. We have not tested effectiveness of potential fraud detection mechanisms in case of higher volume of transactions.

Payment providers and banks deploying HCE technology in their mobile payment solutions should be aware of this risk, test their systems against card cloning attack scenario and take additional countermeasures, such as device scoring, malware detection, integrity protections and server side fraud detection.

Technical details was discussed at Hack in The Box conference in Amsterdam but without detailed instructions how to reproduce the attack. Meanwhile, we are publishing FAQ to minimize potential misunderstanding.

We will share general procedure steps to enable financial institutions testing their systems, but only If you can prove your identity and non-malicious intent. Please contact us for further details.

Wojciech Dworakowski
Wojciech Dworakowski Managing Partner at SecuRing