With all the excitement about contactless payments, and talk about wallets replacing cash and credit cards, it was only a matter of time before criminals figured out a way to take their thieving ways to the next level and join the contactless payment revolution.
Introducing “paycardreader” – the Android app that steals credit card numbers and expiration dates from credit cards with just the wave of a phone.
New Uses for NFC Technology
That phone would simply have to be equipped with near field communication (NFC) capability. Cryptography expert and Auckland University researcher Peter Gutmann showed how using this device, coupled with the “paycardreader” app, could easily skim numbers from credit cards.
The app was developed by a German developer, Thomas Skora, who is a senior consultant for security consulting firm Integralis, and who said he developed the app “only for technical demonstration.” He launched it at the company’s Security World 2012 conference, which ran from June 19-20 in Stuttgart, Germany.
Even if the app was developed strictly for demonstration and not by a criminal, thieves won’t miss an opportunity for a new method of stealing, and someone developing the technology to do so is certainly not a good sign. Judging by the comments on a news article about the “paycardreader” app, people are wary of contactless payment systems to begin with, and stories like this one only fuel their mistrust – the problem is, their mistrust is easily misplaced.
Consider this comment by freelance writer Renee Gerber: “People think this Google Wallet crap is such a “brilliant” idea. I wouldn’t for one second even consider having my credit or debit card info included on my phone,” writes Gerber. “What’s so difficult about removing a card from your wallet to swipe it through a card reader, anyway? It’s sad that there are people who are THAT lazy.”
In fact, there is no vulnerability for users of Google Wallet, MasterCard PayPass, or any other contactless payment system. The vulnerability is for people who carry their actual credit cards, which can be scanned using this app and have their data stolen.
So actually, using Google Wallet, Isis, or another such virtual payment system would protect users from having their information swiped by an app like “paycardreader,” or another one like it.
Wary of New Ways
Still, incidents like this underscore the fear that some people can feel about using new technology – particularly older people, who may cling to their cash and credit cards and be reluctant to pay for anything with a tap or a wave.
The truth is that credit cards are safer than ever, increasingly using more-secureEMV chips instead of magnetic strips – and even if your account is compromised, every major credit card on the market has a zero liability policy for fraudulent transactions. If someone steals your credit card information and goes on a shopping spree, you won’t be responsible for the charges.
A Moot Point
For now, this incident merely raises theoretical questions and concerns – the “paycardreader” app was available for download on the Google Play Store until Thursday afternoon, when it was pulled.It is no longer available – for now.