Mobile payment security gaps exposed at Hong Kong university
As services like Alipay and Apple Pay become increasingly important to customers and retailers, researchers show how thieves can still exploit them
Just how safe is it to pay bills by waving your phone at the cashier or scanning a QR code?
Not completely, according to cybersecurity experts at a Hong Kong university, who have exposed loopholes in various mobile payment systems, which are becoming increasingly important to retail in China and around the world.
The potential vulnerabilities have been reported to the systems’ operators, who have acted on the reports, but researchers reminded users to stay alert for suspicious apps and links.
China is the world’s leading market in mobile payments, with US$5.5 trillion worth of transactions logged last year. By comparison, Hong Kong is catching up slowly, with services like Apple Pay receiving a lukewarm response since launching in the city a couple of years ago.
A two-year study by researchers at the System Security Lab at Chinese University’s department of information engineering looked at four forms of data exchange which have been widely adopted in mobile payments.
Those forms were near-field communication (NFC), QR code scans, magnetic secure transmission (MST) – used on Samsung handsets – and audio signals.
Each of these methods authenticates the buyer by passing a “token”, containing his or her information, a time stamp and a passcode, from the phone to the sales terminal.
But hackers can, the study found, obtain that token by tampering with the transmission process using signal jammers, or even gain access to the phone’s camera to record an image of a QR code.
They can then use stolen tokens to buy other things using the victim’s money.
Lead researcher Professor Zhang Kehuan said two of the more popular mobile payment services in Hong Kong – Apple Pay and Android Pay – were safe from that sort of theft as both use NFC, which provides two-way communication between phones and sales systems. The other three forms were vulnerable.
“If a payment is declined for whatever reason, then the user would find out immediately and retract the sale. The token is then revoked,” Zhang said.
But users of other forms of payment would not be notified if a payment failed, meaning the stolen tokens remain valid.
The vulnerabilities have been reported to Alipay, one of the mainland’s biggest providers of cashless payment systems, as well as to Samsung.
Alipay is owned by Ant Financial, an affiliate of Alibaba, the parent company of the Post.
Both firms have acknowledged the loopholes and said they had taken action to close them.
Zhang said there was no such thing as “absolute security” when dealing with technology, saying users who opt for convenience have to accept a trade-off.
“As researchers we only identify loopholes and plug them, but we can never guarantee [that more won’t] show up in the future,” he said.
He also gave a few tips for smartphone users, such as never “jailbreaking” or “rooting” the devices and avoiding apps from suspicious sources.
For years, smartphone owners wanting to install apps not sanctioned by the manufacturers, or perform actions the phone was not originally designed for, would jailbreak the devices, but doing so risks opening gaps in security.
Ant Financial, which runs Alipay under the bigger Alibaba Group, insisted the loophole cited in the study was “nearly unfeasible” to exploit in practice, as that would require “extremely advanced” hacking capabilities.
A spokesman said the company had a real-time fraud prevention system monitoring the more than 100 million payments Alipay settles daily, adding that it has a loss ratio of 0.0001 per cent, below the 0.2 per cent for leading international operators.