App retrieving contactless credit card details pulled from Google Play

The Near Field Communication (NFC) protocol – supported and present on the latest smartphones – can be misused to steal data, say Symantec researchers.

They tested a proof-of-concept app offered for a short period of time on Google Play by a German Security researcher and discovered that it (partially) does what it was created to do: read and record contactless credit card data sent to nearby point-of-sale terminals.

The protocol is already used for effecting transactions under €10 without having to enter the card into the terminal or input the PIN, as it allows users to share small payloads of data between an NFC tag and an Android-powered device.

This particular app was available for download for a limited period of time before being pulled, and has been downloaded 100-500 times during that time window.

According to the author, it does manage to retrieve data from MasterCard and another European type of credit card, but it fails at grabbing data from Maestro, Cirrus, Visa, Visa Electron and Visa V Pay card.

Among the collected data is the credit card number, “Valid from” date, expiration date, and bank account number, but not the security code number.

This app is still a work in progress, but this researcher is surely not the only one working on something like this.

“Although this application requires users to install and place a contactless payment card within 4 centimeters of the phone to expose their details, it does highlight a potential weakness in this emerging technology,” Symantec researchers point out.

“It’s not hard to imagine a malicious application running silently in the background of a mobile device mingling with your contactless credit card inside your wallet.”