The Olympics has long been a showcase for sponsor Visa Inc., but the card brand has much more at stake than usual at the 2012 London Olympics because of the mobile-payment initiative it plans to undertake during the event later this month.
The card brand intends to test contactless payment-enabled Samsung mobile phones issued to athletes and Olympic VIPs for tap-and-go purchases of less than £20 (US$31) to help determine the direction of its mobile-payment strategy.
But fears are mounting among security researchers who suspect fraudsters could rain on Visa’s parade.
Short events such as the Summer Olympics, which this year begins July 27, draw huge crowds and represent a major security task for the host city. And crooks looking to steal payment card data may find a setting such as the Olympics easy pickings.
Visa’s testing of its payWave contactless-payment service through the Samsung Galaxy SIII phones does not represent an entirely new service, but it does open the door for fraudsters to also test their ability to target vulnerable applications or hardware used in Near Field Communication-enabled phones, noted a July 5 blog post by computer-security provider McAfee Inc.
In fact, the Visa test at the Olympics will cause “mobile attackers to go for the gold,” McAfee suggested.
Research at Santa Clara, Calif.-based McAfee has uncovered a PIN-reset vulnerability in the Android operating system, allowing attackers to crack PINs on the phone and access the free prepaid card that is part of the Google Wallet. Google Inc. has since updated its Wallet application to fix those weaknesses, the blog notes. But attackers have since shifted their attention to targeting a system’s NFC-handling libraries.
In a practice called “fuzzing the hardware,” attackers feed corrupt or damaged data to an application to probe its weak spots. Security researchers Collin Mulliner and Charlie Miller used fuzzing techniques three years ago to expose vulnerabilities on Android and Apple Inc. iOS phones.
Mulliner, a well-known researcher in Berlin, also “fuzzed” NFC tags to illustrate how a hacker could feed a damaged NFC tag to an Android library to capture future code executions, the blog stated.
A tech-savvy attacker may purchase the same Samsung phone being used at the London Olympics test and apply the research to find weaknesses and eventually “develop exploits to steal a victim’s credit card” information, the blog post suggests.
The large number of payWave contactless readers at terminals expected at the Olympics provides plenty of locations for a successful attacker to use stolen credentials to make purchases, the post contends.
Issuing warnings based on research can alert consumers to keep a close eye on their accounts during the Olympics, but the actual threat may not be as scary as it sounds, some analysts suggest.
“Fuzzing requires feeding data to the phone, so the feeder has to have that phone or the phone number and the recipient has to execute the receipt of that data,” says Gareth Lodge, a London-based industry analyst with Celent.
The pool of potential targets involved in the testing at the Olympics is small, Lodge adds. “Every athlete and VIP will get a phone, so let’s say about 20,000 phones,” he says. “Then they have to receive the fuzzing data and actually have to use the phone as a payment device.”
The test phones may get limited use for payments because most athletes have their own chefs so they won’t be buying food, and many other things are paid for by sponsors, Lodge contends.
Though the Olympics offers a setting in which thousands of individuals, thus thousands of phones, will gather in the same general vicinity, it doesn’t necessarily stack up to a big pay day for fraudsters, Lodge says.
“Any new payment system or method will always attract fraudsters, for a variety of reasons,” he adds. “First, there has been less ‘stress testing,’ and users are more vulnerable because they are less familiar with what to do, or not to do.”
But the numbers also have to stack up to make the effort worthwhile for criminals, Lodge says.
It’s not likely Visa would raise any red flags about the fraud potential, other than offer the established advice that consumers should keep track of accounts and alert the issuing bank if a card or a phone with card data is lost, says Zil Bareisis, also a London-based senior analyst for research firm Celent.
“Visa and its partners are keen on promoting the Olympics and showcasing the new technology,” Bareisis says. “While it’s in their interest to ensure security of everything they do, they probably wouldn’t want to draw everyone’s attention to potential dangers at the same time as distributing the new technologies.”
For their part, UK residents planning to attend the Olympics have already been alerted about the technical wizardry criminals have in place to steal payment card data.
Public television station Channel 4 reported in the UK last spring that it conducted an investigation showing data on millions of Barclays Bank PLC Visa contactless cards potentially were vulnerable to nearby criminals with a specific type of mobile-reader application.