this post was submitted on 14 Sep 2023
134 points (99.3% liked)

Android

27941 readers
109 users here now

DROID DOES

Welcome to the droidymcdroidface-iest, Lemmyest (Lemmiest), test, bestest, phoniest, pluckiest, snarkiest, and spiciest Android community on Lemmy (Do not respond)! Here you can participate in amazing discussions and events relating to all things Android.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules


1. All posts must be relevant to Android devices/operating system.


2. Posts cannot be illegal or NSFW material.


3. No spam, self promotion, or upvote farming. Sources engaging in these behavior will be added to the Blacklist.


4. Non-whitelisted bots will be banned.


5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.


6. Memes are not allowed to be posts, but are allowed in the comments.


7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.


8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.


Community Resources:


We are Android girls*,

In our Lemmy.world.

The back is plastic,

It's fantastic.

*Well, not just girls: people of all gender identities are welcomed here.


Our Partner Communities:

[email protected]


founded 1 year ago
MODERATORS
all 8 comments
sorted by: hot top controversial new old
[–] [email protected] 15 points 1 year ago

detailed on GitHub, a security issue that’s been given the marker CVE-2023-35671 affects Android devices and allows access to full credit card details through NFC devices like the popular Flipper Zero tool.

Gotta worry about card skimmers for nfc

[–] [email protected] 15 points 1 year ago

Daily reminder to leave NFC off and only turn it on when needed since Google Pay and other apps seem to have no concept of only being used when the app is explicitly open.

I've had it twice now where I was standing a little too close to the tap-to-pay terminal on the bus since it was nearly full, and it counted that I "tapped" in again. This is while I was still a full nearly 5 inches away, browsing a completely different app.

Not to mention, how is this not a setting in google pay or the quick menu??? Google removed NFC toggle from the quick menu so you need to turn it off, otherwise it feels like someone could just "tap" to steal money from your unlocked phone from 6+ inches away. Baffling to me.

[–] [email protected] 11 points 1 year ago

“Loophole” huh? Sounds like a security issue.

[–] [email protected] -4 points 1 year ago* (last edited 1 year ago) (1 children)

This fucking pisses me off. No wonder my credit card details were stolen last month. I only ever use NFC.

That's their one shot. No more mobile payments for me. Deactivated now.

[–] [email protected] 8 points 1 year ago (1 children)

Did you read the article? Unless someone had physical access to your (unlocked) phone and was able to pin an app, then tap it against specialized hardware (unlikely you could get a normal card terminal to run this exploit), it's extremely unlikely that this is how your details got stolen.

[–] [email protected] 0 points 1 year ago (1 children)

Skimmers aren't a thing? Especially with near field? You're wrong. I ONLY use my phone and NFC to pay for things and that's how the data was stolen as verified from my credit card company and Google. But hey you know best right?

It was specifically stolen from Google Pay and contactless payments.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Skimmers are not a thing for Google Wallet / Apple Pay, no. Both these services use tokenization for transactions, meaning that even with your phone unlocked, no-one could grab anything via NFC that would allow triggering a transaction later, let alone clone your card. Even in this specific scenario described in the article (which requires your phone to be in the hands of the exploiter), the CVV of the card wasn't exposed, so no-one can actually trigger a payment with this info except if they also have your physical card to read the CVV.

Google Wallet / Apple Pay are a million times safer than using your physical card, because the most common skimming attacks either just grab the magnet strip info if available or literally just read the info off the card optically including CVV, which allows for online transactions. None of these things are a concern with Google Wallet / Apple Pay.

But hey you know best right?

I worked as a TPM in financial services for almost 5 years, so yeah I think I'd know.

It was specifically stolen from Google Pay and contactless payments.

It wasn't.