CUHK researchers discover major loophole in mobile payment systems

The discovery was made by the System Security Lab led by Professor Kehuan Zhang from the Department of Computer Science and Engineering at CUHK, which has analyzed various major mobile payment systems for their security vulnerabilities.

In mobile payment transactions, the key to communications between the mobile payer and payee is a payment token that is issued by the payment service provider to verify the payment.

Some of the most widely adopted forms of transmitting these tokens include Near-Field Communication (NFC), Quick Response Code (QR code) scans and Magnetic Secure Transmission (MST).

According to Zhang, whose team has spent two years in conducting an in-depth study into these payment systems, apart from NFC, the remaining formats support one-way communications only.

In other words, if the transaction fails, the payee's device is unable to notify the payer and cancel or reclaim the token already issued, a loophole that an active adversary can exploit.

In regard to QR Code scanning, a popular format of token verification, the study has revealed that a malicious device is able to sniff the token from the payee's screen from afar and spend it on a different transaction.

As for MST function uniquely used by Samsung Pay, payers are required to place their handsets within a 7.5 cm distance of the payees' POS (Point of sale) for identification.

But after a series of tests, the team discovered that the magnetic signals can be picked up from 2 meters away. A rogue in a supermarket queue can seize the opportunity to attack and steal the token.

The team has notified relevant third party payment platforms and Zhang reminded mobile payment users to stay alert and avoid downloading mobile apps from unknown sources.