"Charlie Miller, best known for his work in exposing security weaknesses on Apple smartphones and desktops"
Keeps him busy!
The Near Field Communications (NFC) Forum has defended its short-range radio standard, and blamed flaws in apps that use the tech for the security vulnerabilities revealed at the Black Hat conference last week. Charlie Miller, best known for his work in exposing security weaknesses on Apple smartphones and desktops, …
The NFC Forum should have made sure that all NFC devices have a physical pushbutton which disconnects the NFC ciruitry except when you hold the button in. And not just phones -- cards, in particular, need this.
This doesn't stop any of the pay-by-bonk or other useful applications but it makes sure that the device user is deliberately initiating the action.
Yes, I agree with Graham too. I have been advocating just such a thing for quite a while now myself. Button to activate NFC - most of the objections go away immediately.
Of course it is still not possible AFAICT to use a phone to pay for something in the UK as there are no such wallet apps supporting NFC in the Google Play store. I got the Galaxy Nexus back in November on the basis that it would enable such functionality, but it still does not exist.
I am not so stupid that I would use a wallet app from an untrusted source that I have never heard of before.
> The Nokia smartphone is configured to automatically pair with Bluetooth devices when its
> NFC tag-tapping functionality is switched on. In cases where Bluetooth is disabled, the
> phone will actually turn Bluetooth on and pair with devices without asking for permission,
If I had an N9 it would go back to the dealer RIGHT NOW for that.
First, +1 to Graham.
Second, what the NFC says is technically true but unhelpful. OK, NFC supports all these cryptographic features. Great, so when your E-Wallet (not *MY* E-Wallet, I won't get one!) gets drained, you can cryptographically prove it was specifically some unknown phone that did it, not *a third* unknown phone in a man-in-the-middle attack. Problem solved! Predicition -- the NFC will come up with more and more elaborate cryptographic procedures, ignoring the glaring fact that having the phone interact with anything and everything it's within RF range of, with no user interaction, is inherently insecure.
I have these amazing small metal disks and pieces of paper which many retail outlets accept for payment which are quite secure, you actually have to take them off me physically and if I only give you one you don't get all the others by magic.
For large transactions I can use a plastic thing with an inherently insecure system where I type a four digit "PIN" into some unverified third party device which skims a copy of the card and PIN for some slimy crims to use so that I can have my card cancelled and fill out lots of paperwork about the crime that the Police won't let me report.
For trains I have an Oyster "robbed as you go" which I wave at ticket machines and lose a sum of money between roughly the ticket cost and a lot more dependent on how badly the reader is malfunctioning that day (strange that it never errors in my favor though, eh Boris?)
Why the feck would I want more ways for vermin to steal from me? (just for clarity I mean the regular thieves, not the banks) I don't want to be able to spray money at people with a vague gesture, I do not exist purely to be a consumer. I do not run out of work looking for the first thing to waste my money on, the extra hassle of having to, god forbid, get my wallet out of my pocket does not cause tachycardia as I panic under the weight of an un-wasted £2 at WHShite.
Simple solution to contactless security problems, turn all that crap off, we don't want it, we don't need it. I don't give a toss if VISA or Nokia or Microsoft "own" the NFC payments because I have no use for them. NFC is for the benefit of corporations, not customers and based on the current inability of the financial industry to even spell security the promises of security might as well claim that thieves currently have mobile credit card factories from which they can deploy clones of my card in 45 minutes. Perhaps they could hire Tony Blair to be the spokesperson for NFC then we could all understand?