- cross-posted to:
- android@lemdro.id
- cross-posted to:
- android@lemdro.id
detailed on GitHub, a security issue that’s been given the marker CVE-2023-35671 affects Android devices and allows access to full credit card details through NFC devices like the popular Flipper Zero tool.
Gotta worry about card skimmers for nfc
Daily reminder to leave NFC off and only turn it on when needed since Google Pay and other apps seem to have no concept of only being used when the app is explicitly open.
I’ve had it twice now where I was standing a little too close to the tap-to-pay terminal on the bus since it was nearly full, and it counted that I “tapped” in again. This is while I was still a full nearly 5 inches away, browsing a completely different app.
Not to mention, how is this not a setting in google pay or the quick menu??? Google removed NFC toggle from the quick menu so you need to turn it off, otherwise it feels like someone could just “tap” to steal money from your unlocked phone from 6+ inches away. Baffling to me.
“Loophole” huh? Sounds like a security issue.
deleted by creator
This fucking pisses me off. No wonder my credit card details were stolen last month. I only ever use NFC.
That’s their one shot. No more mobile payments for me. Deactivated now.
Did you read the article? Unless someone had physical access to your (unlocked) phone and was able to pin an app, then tap it against specialized hardware (unlikely you could get a normal card terminal to run this exploit), it’s extremely unlikely that this is how your details got stolen.
Skimmers aren’t a thing? Especially with near field? You’re wrong. I ONLY use my phone and NFC to pay for things and that’s how the data was stolen as verified from my credit card company and Google. But hey you know best right?
It was specifically stolen from Google Pay and contactless payments.
Skimmers are not a thing for Google Wallet / Apple Pay, no. Both these services use tokenization for transactions, meaning that even with your phone unlocked, no-one could grab anything via NFC that would allow triggering a transaction later, let alone clone your card. Even in this specific scenario described in the article (which requires your phone to be in the hands of the exploiter), the CVV of the card wasn’t exposed, so no-one can actually trigger a payment with this info except if they also have your physical card to read the CVV.
Google Wallet / Apple Pay are a million times safer than using your physical card, because the most common skimming attacks either just grab the magnet strip info if available or literally just read the info off the card optically including CVV, which allows for online transactions. None of these things are a concern with Google Wallet / Apple Pay.
But hey you know best right?
I worked as a TPM in financial services for almost 5 years, so yeah I think I’d know.
It was specifically stolen from Google Pay and contactless payments.
It wasn’t.