this post was submitted on 14 Sep 2023
24 points (100.0% liked)

Technology

37727 readers
626 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

There is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Google has calculated a high severity for this vulnerability.

top 3 comments
sorted by: hot top controversial new old
[–] _s10e@feddit.de 3 points 1 year ago (1 children)

Someone should clarify if this

  • leaks only the cc number (as shown here)
  • or otherises a payment

Contactless payments use the EMV protocol. Leaking the cc number is bad, but happens all the time. An actual payment athorisation replaces both PIN and signature. The victim's bank will argue that the victim authorised the transaction at the POS.

[–] The_Hunted_One@beehaw.org 1 points 1 year ago (1 children)

From what I've seen here the vulnerability exposes card number and expiration details. I don't know enough about NFC payment authorization to confidently confirm, but I'm not sure what other information would constitute an authorization

[–] d3Xt3r@beehaw.org 1 points 1 year ago

From @SuperIce@lemmy.world:

If the PoS supports tokens, it'll use unique tokens for each payment. If the PoS doesn't support tokens, the phone has a virtual credit card number linked to the real one, so if it does get stolen, you can just remove the card from your Google Wallet to deactivate it. Your real card number is never exposed.

Even then, credit card numbers on their own aren't that useful anymore. Any online payment needs the CVC and PoS devices usually require chip or tap cards, which don't use the number. On top of that, credit card companies have purchase price restrictions when using swipe because of the security risks vs chip (which is why most PoS devices don't support swipe anymore).