This article is more than 1 year old

Reflection of a QR code on PoS scanner used to own mobile payments

Chinese researcher also cracked magnetic and sonic payments

Black Hat Asia Paying for stuff with your smartphone is downright dangerous according to Zhe Zhou, a pre-tenure associate professor at Fudan University, who yesterday explained how three different payment methods can be cracked at Black Hat Asia in Singapore.

In a talk titled “All your payment tokens are mine: Vulnerabilities of mobile payment systems”, Zhe said mobile payments have two weaknesses: tokens aren’t encrypted; and tokens aren’t tied to a single transaction, so can be re-used and/or hijacked.

Zhe explained that mobile payments see smartphones generate a one-time token that’s passed to a point of sale terminal. Once the token’s exchanged and verified by a payments server somewhere, it won’t be accepted again. The trick to using harvested tokens is therefore to stop them ever making it to the point of sale terminal, then to use that token for another transaction of higher value before it expires.

Zhe said it’s possible to do so for smartphones that can emulate magnetic stripe cards. Smartphones can pull off that trick thanks to a technology called “Magnetic Secure Transmission” (MST) that sees them emit electromagnetic energy from the coil used for wireless charging. Phones so equipped send point of sale devices the same data they expect to detect when a card is swiped. Zhe said MST is expected to have a range of seven centimetres, but commercial-off-the shelf kit costing US$25 was able to detect the waves from a distance of two metres. In so doing they also stopped signal reaching point of sales terminals and harvested an unused token.

Windows 10 debuts Blue QR Code of Death – and why malware will love it


Payments using sound, a technique used by Google India’s “Tez” system can be hijacked in similar ways. Zhe said sound payments are often used in vending machines and it is not hard to record the codes, either from near the machine or with unexpected modifications. If the vending machine uses a wireless connection to verify the token, a jammer stops it from doing so. Again, the attacker ends up with a valid token.

Zhe’s most devious attack targeted the QR codes used as tokens for some payments. His tactic for such tokens was to surreptitiously turn on a smartphone’s front-facing camera to photograph the reflection of a QR code in a point of sale scanner’s protective cover. This attack also detects the configuration of the QR code and subtly changes its appearance to make it unreadable. The malware running the attack on the smartphone, however, manages to retain a perfect and usable QR code. The technique can also be used to craft malicious QR codes that, when used for smartphone-to-smartphone payments, see the victim machine directed to download and run malware.

The researcher said he revealed his exploits to the largest mobile payment provider in China, and that it quickly revoked versions of its apps and promised to ensure its wares seek out and destroy any process using phones’ front-facing cameras.

Zhe conclude by recommending that all token exchanges for mobile payments must be encrypted and add a challenge-response mechanism. He also said mobile payment tokens always be tied to a single transaction so that tokens can’t be re-used. ®

More about


Send us news

Other stories you might like