How NFC phones can steal your credit card info.

At least 100 hackers just watched this video and decided on their plans for this weekend.

Its called nfc for a reason. They make it look like a hacker can stand in a room and gather every ones info when in reality you have to put the back of a phone with in 1cm of the card.

This doesn't specifically target Android, but they used an Android phone as the centerpiece, so a few reasons why this is wrong (in Android):
1. Android does not accept or send NFC data while the screen is off. This is a system-wide privacy safeguard.
2. NFC works at a range of centimeters (1-4cm in Android's case). This is "direct contact" level, not merely being nearby.
3. 3rd party applications must be open and in the foreground to use NFC, so you'd notice this very quickly.

You know you can disable NFC when you are not using it, plus NFC can be battery hog so disable it when you're not using it.

NFC should become active when you want to use NFC, and operational only when the phone is inches from the device asking for money.

Disable it when not in use. That's it!!

it's not a virus if the app is fraudulent

And this is why cash is king.

I just tried this with my credit card and it reads a serial number, not the card number. Are you saying the hacker will then somehow manufacture a card of their own with a duplicate serial number, and try to guess my pin number? Good luck!!

When your phone rings NFC becomes active.

Can't agree more, at some point people need to take some kind of responsibility for their own security.

funny how no one else is thinking or even made the conclusion to start doing this at all, yet these guys are informing the whole world that this is incredibly easy and that anyone could do it... honestly just keep your ways of hacking to yourselves...

Well, someone doesn't understand the technical limitations of nfc. The nfc chip in phones only has a range of up to 2 centimeters. Unless you keep your phone and wallet in the same pocket you have nothing to worry about chicken little.

Where your incorrect is that an app that uses NFC and also uses smtp email is not considered a virus. You will find an app up there now call "The Electronic Pickpocket". While we disabled the ability to view the entire credit card number so as not to help theives, we were able to create an app publisher account and have it available for download within about 30 minutes. It is still there now.

This is complete BS. Your phone has to be milimeters away from your creditcard to 'steal' the information. They talk about it like you can take a stroll through the park and you'll have 200 new numbers, like somehow the smartphone would be able to reach cards meters away.

Someone strolling through the park would likely not use a smartphone. They would buy a reader such as a store uses and put it in a case like we did. You can increase the range as well with an amplifier. The phone problem is that it is your own phone with a bad app. Many people place their phones near their cards often.

Just scratch the RFID chip from your card and you are set.

Let's be honest - no one outside of hardcore users even use NFC for sharing contacts or with NFC tags. I'd be willing to bet most people that have a Galaxy Nexus don't even know what NFC is or what it does, or that it's even on their phones.
Whichever Best Buys you go to must show more love for the Nexus S than Chicago, because I never saw a single poster for it. Just a little phone sitting on the stand under the rarely there "unlocked phones" section.

The One X, Nexus S, and the last seven phones you can't buy in the U.S. The Galaxy Note that has NFC has locked NFC in the US, so does the One XL. The Galaxy SIII isn't released in the U.S. either.

Yes but if your own phone is infected and you are putting it in your pocket or purse with your wallet it is near enough. Also many womens pursed now have spots for your cell phone.

last time i checked most people have their phones in one pocket and their wallets in the other.

I can *maybe* believe the Galaxy Nexus has sold millions in the U.S., but the NFC feature is still locked down because Verizon hasn't released their own NFC payment system yet. The Nexus S, not so much. It wasn't even commercially available in AT&T or T-Mobile stores.. You could only buy it at Best Buy, unlocked.

I agree. It's not magic, it's technology.

In the sense that you can't use it with anything since there are no mobile payment options for the Verizon Galaxy Nexus, it is locked down. There's really no point to even having it on if you have a Verizon Galaxy Nexus.
The Nexus S was never "heavily pushed" at Best Buy, and even if it was it is such a niche device.

So if you get google wallet you don't even have to carry the credit cards.

This has nothing to do with Google Wallet. It is the phone's NFC ability that can be used to scan other cards.
Also we have tested here and with the skimmer we built we can skim the Google Wallet credit card number and expiration date from it.

Um why not turn off nfc when it's not in use. Sounds like an easy solution to me lol. I even turn off my 4g to save battery

If they steal your phone or your phone rings you will have to type in a pin to use it...

In some cases the NFC antenna is in the battery in other cases it's in the case.

Here the Nexus S was a Sprint phone at Best Buy. They did sell it unlocked as well but they preferred it as a Sprint phone.
I agree on most people having no idea on NFC and that is the point. Whether they know their phone contains it or not it can still be used by hackers to target their cards that the phone gets next to.

Good thing my screen is always off when my phone is in my pocket (nrc only active with screen on). Plus None of my credit cards have NFC chips. Only my phone lol.

i can't take any video like this seriously. they are trying to talk about up and coming technology like NFC while showing a clip of aol saying "You've Got Mail!". its like the video was made for the same kind of people that think technology is the devil's work or something and have just started using email. just another way to attempt to strike fear in people, something the media like to think it excels at.

See if you would have specified Nexus S 4G we wouldn't have had a miscommunication - The Nexus S 4G was pushed more than the Nexus S, but it was also pushed more on the nation's third largest carrier - still, the Nexus S 4G did sell more than the unlocked Nexus S, I'll give you that.
However, if people don't know what NFC is, why would they bother to turn it on?

You're right, the iPhone just uses a broken AES implementation instead. So much better.

sorry should have said 4/4G.
My two phones... the Nexus S and Galaxy Nexus were enabled when I got the phone. I didn't have to turn it on. The default was on.

I always thought wireless credit cards were stupid in the first place. I'll never get one, so I don't really need to worry about this.

Do you know what % of those 320 million phones have NFC is?
Not to mention that a phone without NFC can NOT do this..

Yes some of these are in Europe etc but they have contactless cards as well that are vulnerable. In the US the two biggest ones are the Nexus S and the Galaxy Nexus which alone have sold millions.

NFC on Galaxy Nexus is definitively not locked. I own one and our test with trojan software found it easily vulnurable. The Nexus S was heavily pushed at BestBuy starting Mother's Day 2011.

Many people carry their phone in their pocket with their wallet or credit cards. Also many womens wallets have a cell phone holder that places it near enough to their cards. Go to my waltaugust channel and watch the Trojan Horse Electronic Pickpocketing demo to see this actually happen.

1. If you have your phone in your pocket next to your cards or your purse etc and the screen is off, when you get a call the phone wakes up and scans. We tested this and it does scan the card on a phone call.
2. While the phone needs to be close many womens wallets hold their phone next to their cards and many people place their phones in their pockets with the cards.
3. This isn't true. If the bad app is set up to handle nfc events it will launch and run even if no apps were running.

But when your phone rings it activates and can scan. Also hackers could adapt their program to make the phone appear asleep.

this doesn't happen anymore. Google encrypted everything. and Wallet doesn't store any cards on your phone anymore.

Total overreaction. Yes this is possible, but you MUST be within reading range of an RFID tag which as many people pointed out is just a few millimeters (less than 1/4" for those of you unfamiliar with the metric system). And, if you stick to apps from well-reputed developers, you will avoid the whole virus thing. This type of video is just an attempt to scare people and sell card protectors.

The nfc attack would normally be carried out by your own phone with an infected app. So you have to notice anyone around you.
In some phones the antenna is attached to the battery cover not the battery.

I Have Lookout (Free Version) But Not For Malware, Just In Case I Lose My Phone. But Yes, An App Always Ask For Permission When Using A Feature.

0:45 lol is that guy from year 1450? wave it, magic wand? lol facepalm

I find it interesting that they consider it lazy to program malware...i cannot imagine it being the easiest/laziest thing to do...

Yes. Definitely.

The virus protection does not currently catch apps that use NFC. The virus protection will help for other viruses. For Google Wallet data make sure you set the timeout as short as possible. This is how long the card can be scanned after entering your pin number. You can set it from 1 to 30 minutes. Also please read the news stories about the ability to hack the pin number on Google Wallet as well.

Not if you live on another continent and want to steal from Americans or Europeans etc. They can sit at their desk in some third world country and watch the emails coming in with credit and debit card numbers from the U.S.

u sound just like the people who try to virus phones. The vid's point is very clear and more modern that you are - use technology with care. Moving forward without making sure the user is safe, is actually what you're doing. The video is telling us to ditch new cards, because, NEWSFLASH - new DOESNT MEAN better. And he's recommending to install an antivirus. How can that be unserious? You sound to me like a tech geek that wont listen to the flaws of his new tech, NFC. relly dude, stop that.

WOW....It's called NEAR Field Communications...I EMPHASIZE THE WORD "NEAR"...You literally have to be touching stuff together for the info to beam.

iphones dont have NFC lol

322 million cell phones in use in the USA??? The US population is only 314 million. LoL!!! Nice try, Apple!!!

moral... #stick to watching porn, chatting and listening to music on ur phone xD

instead of complaining about it why not do something about it invest in encryption companies and urge them to help fix the problem

What kind of phone is that? Are you sure it's not painted brick?

cool vid, and good solution, just dont have a wireless credit card

To use google wallet yes. But not if they are using you phone's NFC cabpability to scan externeal cards.
But also look up Google Wallet PIN hacked. If someone steals your phone they can root your phone and then use the crack program to get your PIN in 5 seconds.

If you put your phone in your purse or pocket with your wallet and it rings it wakes up and nfc can scan. Also with the right virus you could prevent the phone from actually going to sleep. Make it just look like it was asleep.

As long as nfc is off it won't work. At some point it may be possible for hackers to re-enable with your knowledge.

True but ask your friends. At a recent government security conference 75% of the room when asked say they never have reviewed the permissions before installing an app. To me and you we understand the importance but most people don't.

you are so wrong... my sister lent someone her cell phone for about 2 minutes and they scanned all the info from it and were charging things on her cards. it was a nightmare...

Nfc does work through cloth and virus protection apps are not nfc aware. See youtub waltaugust channel for the trojan demo which shows it working through cloth.

Not an apple fanboy, but an iPhone would never get hacked like this...

so the way around the credit card thing is not getting a wireless one but is he saying there is no way around them stealing Ur info for Google wallet? Or does the virus check stop all that

There are still several other NFC uses on the Galaxy Nexus such as smart posters and sending contacts to another NFC phone. The Nexus S was definitely heavily pushed at the Best Buy's I went to. They even had floor standing displays that were 6 feet tall for months pumping the Nexus S.

Not sure why I shouldn't approve. You are correct we are showing people a vulnerability that the hackers know is out there. But without the cardholder knowing this they can't protect themselves.

LMFAO, you act like Google invented NFC and has control over it somehow.

You cant do this with an iphone lol

does it work even if i make the nfc off on my phone?

I knew it would happen sooner or later.

Very helpful information.

Can a NFC enabled phone without Google Wallet steal the credit card info?

Great Video...Very informative. we all need to protect ourselves from creeps like that

how do u steal card info like that i dont get it n how do u no u got the info

Yeah, but with google wallet, i don't need to carry MY credit card... i don't know about the unlucky souls around me and my phone though! haha

never use paypas..

Yes but this is your own phone getting near your own cards.

And also I have never owned a mac or an iPhone ever. I like Android much better (sorry Apple). I have a Xoom, Galaxy Nexus, and Nexus S.... All Android....

Probably around 1-2% as of late 2011 and rising fast. Several million have already shipped. Here is a partial list. More at wikipedia under nfc handsets.
Android
HTC Amaze 4G
HTC Evo 4G LTE
HTC One X
HTC One XL
Nexus S
Google Nexus S 4G
Samsung Galaxy S III
Samsung Galaxy S II (not all versions)
Samsung Galaxy Note (not all versions)
Galaxy Nexus
Huawei Sonic T20
Huawei Sonic (U8650NFC-1)
Sony Xperia S
Sony Xperia P
Sony Xperia SOLA
Turkcell T20
Turkcell T11

fantastic video,thanks

the creator of this video knows a lot about hacking and stuff. so he is sharing the deed to the world. i mean, how to avoid being a victim :D ( I DARE YOU UPLOADER APPROVE THIS COMMENT. )

"magically opens for you" the homosapiain who came back in time said the same thing
why not use words such as "automatically"

Wow.. thats an issue... lol

I second that...

fud

the creator of this video knows a lot about hacking and stuff. so he is sharing the deed to the world. i mean, how to avoid being a victim :D

faillllllll