Def Con hackers reach for digital wallets

Smartphones at the heart of modern lifestyles are becoming top targets for cyber attacks, according to security specialists and hackers who flocked to Las Vegas this week for back-to-back Def Con and Black Hat conferences.

"We are entering a post-PC (personal computer) exploitation world," said researcher Stephen Ridley of Xipiter, where his team uncovered that the same types of attacks that plague desktop computers can be turned on mobile gadgets.

"I think phones are going to be the only thing people are interested in popping in the next five years or so," he concluded, saying hacker attention is shifting to the always-on, personal data rich devices in people's pockets.

Along with contact information for friends and logs of activities such as Internet surfing, smartphones typically have location-sensing capabilities that track where they have been.

Using smartphones as "wallets" will be common within a decade, largely replacing cash and credit cards, according to a Pew Research survey released in April.

Sixty-five percent of "technology stakeholders and critics" who responded to an opt-in poll by Pew Research and Elon University Imagining the Internet Center agreed that handheld gadgets would be a mainstream way to pay by the year 2020.

"What is in your wallet now? Identification, payment, and personal items," Google chief economist Hal Varian was quoted as saying in a survey response. "All this will easily fit in your mobile device and will inevitably do so."

Google last year launched a "Wallet" service that lets sophisticated Android-powered mobile phones be used to "tap and pay" for purchases at shops.

Blackwing Intelligence security researcher Eddie Lee showed Def Con attendees how to how to use an Android-powered smartphone to pick up the data from a credit card and then used the swiped information for digital wallet purchases.

"You can start spending on someone's credit card; basically you can use it the way you use Google Wallet," Lee said while demonstrating his technique for a packed room of hackers.

"We've know for a long time you can skim RFID credit cards," he said. "This lets you abuse that information and spend on those cards. Maybe this will give the credit card companies an incentive to fix the things in my wallet."

He theorized the tactic could work on other cards, such as those for metro system fares or building access.

Accuvant computer security firm consultant and former National Security Agency analyst Charlie Miller showed Def Con attendees a way to slip into smartphones by getting a sensor close enough to read signals from NFC chips.

In some cases, it is even possible to take over control of a phone via NFC -- stealing photos and contact lists, and sending text messages or make phone calls, according to Miller's presentation.

"You're supposed to be paying for stuff and scanning movie posters with your smartphone, but be aware that this is another way that bad guys can attack your phone," Miller told AFP.

He showed that if he could briefly get an antennae device easily concealed in a sticker near enough to a phone at an opportune moment, it can open a virtual door that a hacker could slip in through.

He contended it would be simple to discreetly affix an innocuous-looking sticker near a digital wallet touchpad at a store checkout counter and then linger nearby and hack phones of buyers.

"It will pair with my machine and I can control the phone," Miller said.

"A bad guy can use that moment of talking to your phone to steal data," he continued. "NFC is cool, convenient and fun; I'm just trying to say let's pay attention to the security implications."

NFC or RFID technology used to share data with nearby sensors is used in smartphones, credit cards, and even passports.