21 November 2017
28 September 2017
Major Security Loophole in Mobile Payment Systems Discovered by CUHK Faculty of Engineering

The System Security Lab, led by Prof. Kehuan ZHANG from the Department of Information Engineering at The Chinese University of Hong Kong (CUHK), has analyzed various major mobile payment systems for their security vulnerabilities, and discovered a major loophole. The finding has caused a large third party payment platform in mainland China to promptly implement new security measures to prevent fraud. The result of the study has also been released at USENIX Security ’17, a prestigious annual academic conference on internet security, held last month in Vancouver. 

The rapid advancement of financial technology has brought forth the idea of a ‘cashless society’.  While a multitude of mobile payment systems are being deployed around the world, concerns over security issues are also on the rise. In mobile payment transactions, the key to communications between the mobile payer and payee is a payment token that is issued by the payment service provider to verify the payment. Currently, the four most widely adopted forms of transmitting these tokens are: Near-Field Communication (NFC), Quick Response Code (QR code) scans, Magnetic Secure Transmission (MST), and audio signals. According to Prof. ZHANG, whose team has spent two years conducting an in-depth study into these payment systems, apart from NFC, the remaining three formats support one-way communications only. In other words, if the transaction fails, the payee’s device is unable to notify the payer and cancel or reclaim the token already issued – a loophole an active adversary can exploit. 

Of the three vulnerable formats of token verification, QR Code scanning is the most popular. The study has revealed that a malicious device is able to sniff the token from the payee’s screen from afar and spend it on a different transaction. Because of the one-way nature of this form of communication, the payer is unaware of the transaction failure and, subsequently, suffers financial loss. Upon the discovery, the research team notified the relevant third party payment platform, which has taken prompt action to shut down their QR Code online transaction function, while keeping the QR Code offline payment function active. With offline payment functions, payers do not have to flash their tokens as frequently, reducing the possibility of fraud. This major discovery has thereby protected a large number of mobile payment system users and helped guard their e-wallets.

Regarding the MST function uniquely used by Samsung Pay, payers are required to place their handsets within a 7.5cm distance of the payees’ POS (Point of sale) for identification. But after a series of tests, the team discovered that the magnetic signals can be picked up from 2 meters away. A rogue in a supermarket queue can seize the opportunity to attack and steal the token. Audio signal tokens most commonly deployed in automated vending machines also suffer from a similar loophole. As the payers’ handsets send the tokens to the vending machines via audio signals, an adversary can easily sniff the token and inflict losses on the payers. 

Though the team has already notified the relevant third party payment platforms, Prof. ZHANG is keen to remind mobile payment users to stay alert and avoid downloading mobile apps from unknown sources. Once a malicious application is downloaded, it can gain control of the front camera, capture the reflections of QR Codes from scanners during transactions, send them to colluders, and silently incur losses on the payers’ part. 

Prof. ZHANG and his team have presented the findings in a paper titled Picking Up My Tab: Understanding and Mitigating Synchronized Token Lifting and Spending in Mobile Payment at the USENIX Security ’17, a prestigious academic conference on internet security. An annual gathering of topnotch experts, academics, researchers, law enforcers and policy makers from around the world, the conference is where the latest research on internet security is released, and is widely respected by academia and the industry. 

In the past three years, the System Security Lab at CUHK has released six highly regarded papers at various top internet security conferences. It is leading Hong Kong and the world in system security research.

Demos: https://sites.google.com/site/stlsinmobilepayment/home

Prof. Kehuan ZHANG, Department of Information Engineering, CUHK