How is the Department of Defense going to secure all of these mobile devices? Simple: with a well thought-out plan, complete with objectives and goals.

The Department is looking to roll out top-secret and unclassified mobile devices throughout this year and the next while establishing its own device management capability. The DOD is also looking into Public Key Infrastructure, a method of authentication, in conjunction with other digital signature services.

Robert Carey, DOD Chief Information Officer, shares on the matter, “It’s an exciting time for the mobile space, and I will tell you as we march into it and into choices and … into smart phone utilization in the DOD, it is not without the requisite security…Many an industry and federal agency are leaping into it a little faster than the security apparatus is willing to catch up with, but we are not. We are trying to leap in it with the security apparatus attached.”

We’ve discussed the importance of mobile security many times on the blog, but this news presents itself as a good opportunity for a refresher. Here are a few key points you should consider when laying out your mobile security plan:

1. Have a Plan for When Mobile Devices Get Lost or Stolen

In the event one of your company phones gets lost or stolen or finds some other route to the black market, it’s important to have a contingency plan in place. Make sure your employees use a password for their devices, and be sure that all phones are equipped with security software such as McAfee Mobile Security, which can easily locate, lock and remotely wipe the data on a potentially compromised phone. Larger organizations can check out McAfee Enterprise Mobility Management, which aids IT managers in simply adding/deleting users from corporate network resources while enforcing their security policy.

2. Educate Employees on Basic Security Practices

Don’t place passwords on post-it notes. Don’t talk about sensitive projects or programs in a cafe. Don’t assume that an unsecured Wi-Fi network is a safe place to log in. Always use a different password for different accounts. Give your team the tools they need to maintain unique and secure passwords.

3. Avoid Risky Apps

It may be disappointing to hear, but company property isn’t a suitable device for you to play TempleRun. Refrain from downloading unnecessary apps on your mobile device, especially if they’re free and can access your contacts. Android devices are particularly at risk, as recent studies and news reports show that many Android apps are listed as “suspicious” and malware is, unfortunately, common on the platform. Apple’s App Store has a more strict app vetting process, so it appears to be more secure, but it’s only a matter of time until some form of malware sneaks through.

As the workforce becomes increasingly digitized, secured mobile devices will become all the more important. Now is the time for your company to lay out its mobile security plan. Having the right software, practices, and education about mobile security are important first-steps, but it’s not all. Remember: there’s always room for improvement. If the DOD can lay out a strategy for over 600,000 mobile devices, so can you!

To learn more about this topic, be sure to follow us on Twitter at @McAfeeConsumer or Facebook at www.facebook.com/McAfee.

Amongst the worst type of malware, software that damages your computer or mobile, is a Trojan Horse program or trojan.  Trojans are the most prominent category of threats this year on the mobile threat landscape.  Backdoor Trojans are a particularly insidious type of Trojan, because much like their namesake, they disguise themself as useful software to the user and then leave a backdoor open in your system so attackers can get into your data at any time.

There’s a new Backdoor Trojan that targets the Android operating system which McAfee Mobile Security detects via the cloud as an “Artemis” Trojan and on a device as Android/Obad.A. Other vendors refer to this as Backdoor.AndroidOS.Obad.a. The malware commonly known as “Obad,” is one of the most dangerous for your phone yet.

Here’s what you need to know:

• It’s hidden.  Obad runs in the background of your phone so you may not know if you even have it.  It’s so well hidden that, once Device Administrator privileges have been granted, the malware does not appear in the device administrator list so it is not possible to delete it without root privileges
• It executes remote commands.  Devices infected with Obad can be controlled remotely by a Command and Control(C&C) server.  The attacker can send a variety of commands such as:
  • making your mobile send unauthorized text messages(e.g. to Premium Rate numbers)
  • download other malicious apps and installing them on the infected device
  • harvest sensitive information (e.g. list of installed apps, user’s contact list)
  • acquiring the account balance(via USSD command)
• It uses an old-fashioned method to spread itself.  Like one of the very first mobile malware SymbOS/Cabir, Obad scans for Bluetooth enabled devices. If it establishes a connection it will send itself and potentially files downloaded from remote servers.
• It’s not very widespread. The prevalence of this threat is very low and limited to a certain region. Nevertheless we are closely monitoring telemetry data for any change in the number of infected devices.

How Can You Protect Yourself From Obad or Other Trojans?

• Turn off discover/visible-to-all mode or protect your Bluetooth with a security mode when out in public
• Always use secure browsing when using public Wi-Fi
• Be careful of downloading apps from unverified sources
• Don’t open an email attachment if you don’t recognize the sender of the email
• Make sure your security software is always up to date
• Take advantage of McAfee Mobile Security – comprehensive protection against mobile device loss, viruses and web threats

For future updates, be sure to follow @McAfee and @McAfeeConsumer on Twitter.

According to McAfee’s 2013 study Digital Deception: Exploring the Online Disconnect between Parents and Kids, there is a significant disconnect between what preteens, teens and young adults are doing online and what their parents believe they do, with 46% of youth admitting that they would change their online behavior if they knew that their parents are paying attention. As Michelle Dennedy, Vice President and Chief Privacy Officer at McAfee, shares, “This study has made it exceedingly clear that parents need to get involved, to understand what their children are doing online, and to engage them in a myriad of ways that will keep them living safe online.”

Are you part of the 39% of parents who try to monitor your children’s online behavior with parental controls? If so, you may want to be on alert, because your tech savvy teen may be taking advantage of your limited tech acumen by bypassing your controls. Of the 41% of tweens that have passwords set for mobile apps by their parents, 92% know the passwords. This means that your tween could be partaking in questionable behavior on their mobile phones without you even knowing – this is further compounded by the fact that mobile activity can’t be as easily monitored as online behavior on a desktop computer.

Other key findings from the study include:

• A majority of youth use mobile devices to access social media. Of those surveyed, 76% of young people reported using a mobile device to access social media, and 56% use a password on their mobile device. Bad news for parents – 22% of youth admit to using a mobile device specifically to hide their online behavior from their parents.
• Teens spend more time online than their parents think. On average, 25% of youth spend 5-6 hours a day online, while a majority of parents believe they are only online 1-2 hours day.
• Teens find social sites to be safe, so they post personal information unbeknownst to their parents. 86% of youth believe social networking sites are safe, so they feel comfortable in posting personal information about themselves such as their email address (50%) and personal activities (31%).
• Teens use social media sites that their parents may not know exist. You may be familiar with Facebook and Twitter, but what about Instagram? Snapchat? Do your research! Snapchat is a a social network that has gained notoriety recently as some users have taken advantage of the app to screenshot and spread revealing photos of other users.
• Social media sites are hubs for mean behavior. Even bullying has gone digital – 27% of 10-23 year olds in the study said that they have witnessed cruel behavior on social networks. How confident are you that your child has not been a victim of or participant in online bullying?
• Teens are actively searching for inappropriate content. You may not think your children are using the Internet to search for sexual topics, but in fact, 57% of 13-23 year olds report using the Internet for this very purpose.

With all the risks that youth face today with the proliferation of social sites that facilitate the spread of highly personal information, what are parents to do? According to Dennedy, “There is no sense of permanence and global reach with online sharing and posting among these age groups, so the onus really is upon the parents to accelerate their digital savvy and be actively engaged on educating their kids about how to live safely online.”

Now’s the time for parents to have more straightforward conversations with teens about living safe online and how the consequences of their actions can extend much further than their original intentions. To learn more, click here.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter at @McAfeeConsumer.

It turns out he doesn’t need to go to a hotel to open his door with a phone. Kwikset will soon be selling Kevo, a new deadbolt that can be unlocked with a Bluetooth-enabled phone. You can replace your old door locks with one of these new models.

The Kwikset/Unikey Kevo deadbolt is controlled via a Bluetooth-enabled smartphone app.

The Kevo lock [see demo video] is based on technology from Unikey, a winning company on the ABC TV show Shark Tank. Unikey’s background is in developing biometrics-access controls. Those controls are the ones you see on TV or in movies when a character places a palm or finger on a pad to open a door. With these locks we can all have similar technology guarding our homes.

Security Concerns
Another thing that you would notice from those same shows and movies is that the bad guys are always trying to break these high-security locks and access controls. The difficulty facing the average computer crook when facing a government high-tech lock is that there are so few of these locks to test against. Contrast those to millions of Bluetooth locks that one can buy off the shelf. The bar is much lower with Bluetooth because if they damage one lock during testing, the criminals can easily buy another one and try again.

The biggest payoff for technical attackers against a lock like this is to duplicate your keys or introduce a new one of their own. With physical keys they would need to get possession of them to make copies; with digital keys they need to break encryption and/or bypass security on the device that holds the keys (smartphone or key fob).

The deadbolts come with a single key fob, similar to car keys with transponders in them, and more can be purchased. It’s not clear yet whether, as with transponder keys, one needs to go through a complex process to activate additional fobs. The security of the fobs makes the smartphone a relatively easier target to go after.

There is an iPhone app that lets you manage both your own door key plus those of other residents (e.g., friends, house sitters, etc.) and temporary keys. Android phones also support Bluetooth. So the choice to produce the iPhone app first may have to do with the relative ease of decompiling Android apps.

IPhones are not necessarily more secure, as a knowledgeable attacker can jailbreak a phone and gain access to a decrypted version of the Kevo key app. Using tools like disassemblers, they can then seek out the methods used to secure the keys within the app and potentially reverse-engineer the protection or discover a method of creating new keys. They may also be able to force the app to accept new keys, essentially adding a master key to every one of these Bluetooth-enabled locks. That is actually not as likely as the criminal’s finding a way to attack a single target’s locks.

Future of Physical Security?
Locks are not invincible, not even high-tech locks. The more such locks are installed, the greater the incentive for robbers to break in through technical means. Why steal one set of keys if they can attack a smartphone app and steal all the keys? Fortunately, as the crooks start to take notice of such devices, so will security researchers. Unlike the bad guys, security folks will test these locks and help them improve. I’m sure my smartphone-toting, key-forgetting friend will appreciate that.

Fake Vertu app in Japanese. (Click on images to enlarge.)

On installation, Android/Smsilence.C attempts to display a loading screen, while in the background registering the device phone number with an external server [XXX.XX.24.134] by sending an HTTP post. The malware then registers an Internet filter on the local device so that any incoming messages are handled first by the Trojan and then forwarded to the same server. The loading screen eventually stops with the message in Japanese or Korean reporting that the service was unavailable and to please try again.

McAfee’s research into the control management system used by this threat has shown that multiple domains (pointing to the same server) were used in addition to multiple guises to spread the threat. Around 20 fake branded apps–from coffee to fast-food chains, including an antivirus product from Korea that was uploaded and revoked from Google Play–were used. Despite a lack of sophistication compared with other mobile botnets, Android/Smsilence was still able to infect between 50,000 to 60,000 mobile users, according to our analysis.

Fake Vertu app in Korean.

The new variant now extends to Japanese victims. Most other threats targeting  Japan this year have been minor variations of one-click fraud (also called scareware), which has been around in one form or another since 2004. Devices infected with Android/Smsilence.C are capable of sending back a lot more information, in addition to downloading additional spyware to the infected device.

Because carriers in Japan use the CMAIL protocol for text messaging, attempting to control and maintain a mobile botnet from outside of Japan is not easy (due to the security features implemented by Japanese carriers). We wonder if there was a local accomplice facilitating the spread or control of infected devices. This would also explain the function of a secondary package that is downloaded to an infected device only on demand by the botnet controller, and contains additional spyware functionality not limited to text messaging.

The most bizarre aspect of this new strain remains to be explained, and highlights a limitation in the antimalware research field. Regardless whether we analyze an Android Trojan or a complex threat like Stuxnet, given enough time we can reverse-engineer any piece of code into its basic building blocks. Nonetheless, there are sometimes aspects to a case in which no matter how much time is spent investigating, we have no idea what the malware authors were thinking. In this case we discovered a file inside the malware that changes the package hash; that’s an evasive technique dubbed server-side polymorphism, and attempts to avoid detections by antimalware vendors. But it was not the technique that was confusing, even though this is the first time we have seen this technique used outside of an Eastern European threat family. The chosen file, the key component in the evasion technique, was a picture of London Mayor Boris Johnson.

The malware authors included an image of  London Mayor Boris Johnson.

McAfee has created a free app, now available on Google Play, to protect your device.

What you should do:

• Make sure you have the latest version of Android software loaded to
  your device
• Perform a quick check on your device, McAfee has introduced a free tool that helps you easily identify whether your device is vulnerable

 Follow these steps to find out if Android device is affected by the USSD vulnerability:

1. Go to: https://www.mcafeemobilesecurity.com/dialer-protection/
   from your mobile device
2. Click on the USSD vulnerability test link
3. If the device is vulnerable, download the latest software updates provided by your device manufacturer and check again
4. If you are still vulnerable, the website has the link for you to download and install the free McAfee Dialer Protection app to protect against this vulnerability

USSD Vulnerability FAQs:

Which devices are affected?
Any Android device running anything below Android 4.1.x (Jelly Bean) is potentially affected.

How does this vulnerability work?
Tapping on a link to a cleverly coded web page could order your phone to reset itself to factory settings and disintegrate all your private data along with it. Simply opening a malicious website, either directly or by a link, could instigate a dialer exploit that instantly orders your phone to take unwanted actions, potentially including a factory reset (wiping out all your personal settings, data and apps) or destruction of your SIM card.

How does McAfee Dialer Protection work?
The McAfee Dialer Protection app protects you so that when you tap on an exploiting link, McAfee will intercept and block the USSD command.

Do I need to be a McAfee Mobile Security customer to be able to take advantage of this free app?
No. McAfee wants to ensure all Android users are safe, therefore, this app is available for free to all Android device users via Google Play.

Will the McAfee Dialer Protection eventually be a part of McAfee Mobile Security?
Yes. We are planning to have it integrated as part of McAfee Mobile Security by January 2013, however, we wanted to make sure to have a solution available as soon as possible for all Android users.

What is the cost of this app and how can I get it?
McAfee Dialer Protection is available for free on Google Play.

What are USSD codes and how was this exploit discovered?
USSD stands for Unstructured Supplementary Service Data and is a session based GSM protocol unlike SMS or MMS. Typically, it is used to send messages between a mobile phone and an application server in the network.
There are multiple services based on USSD such as: mobile banking, social networking (Facebook, Twitter), over-the-air mobile software updates, and prepaid/recharge accounts.
The USSD exploit was announced by security researcher, Ravi Borgaonkar in September 2012. He successfully demonstrated how an Android device could be wiped out simply by opening a website containing malicious HTML code which initiated a factory reset. Although Borgaonkar disclosed the vulnerabilities to manufacturers and carriers in June 2012, many users to date still have not received a patch for the firmware. As a solution, many users have opted to install an app that will check for and block unauthorized USSD requests such as the McAfee Dialer Protection app.

After installation of McAfee Dialer Protection, I click on “Change Default Dialer” and nothing happens? 

In some of the phone models, new installed apps are not allowed to change app association settings. However, this can be curated through “Settings > App Associations”  where you can select “McAfee Dialer Protection” as the default dialer. Now if you open “McAfee Dialer Protection” app again, you would see the message “Dialer Protection Enabled” close to top of your screen.

McAfee Dialer Protection warns you before an attempt to wipe all your personal data and apps on your Android device.

There are really two parts to the remote wipe vulnerability: one is the existence of USSD codes that can erase all data on a phone; the other is the ability to enter those codes with a tel: URL, rather than typing them on the phone. This is not much more complicated than using the format command on Windows to erase the entire C: drive. We don’t normally call the existence of the format command a vulnerability. However, if a digital vandal comes along and remotely executes the same format command, it’s a different story.

Abusing the Protocol
Misuse of the tel: URL protocol isn’t new. An older variation of the attack–known as the DoCoMo 110 Dialer–appeared in the spring of 2000. When NTT DoCoMo customers visited an i-mode website, they were confronted with an image of a bomb and challenged to click it to prove their courage. Once they clicked, the phone immediately dialed the number 110. In Japan, the 110 number is the emergency number for the police. It was reported that due to this attack, real calls to the police were delayed by 3 seconds. Fortunately, most of these inadvertent callers immediately hung up. Eventually, a 20-year-old vocational school student was arrested in August of that year for setting up the malicious i-mode site.

Other Attacks
There are a few other attacks possible with the USSD/Android Dialer vulnerability, some destructive and some just costly. Depending on the phone model, attackers can use a code that redirects all phone calls to a toll number or to themselves. On the destructive side, the factory reset will give your phone that fresh out-of-the-box feeling minus all your contacts, email, text messages, and apps. An attacker can also lock your SIM card by entering a wrong password 10 times. Borgaonkar demoed an attack that combines the locking of your SIM card with the factory reset–giving the victim two headaches for the price of one.

Is Your Phone Vulnerable?
Determining if you’re vulnerable isn’t always easy. You would not want to enter a factory reset code yourself just to see if it worked. Losing all your personal information is a rather high cost. On the other hand, because the vulnerability is really enabled by the Android dialer, McAfee offers a test page where you can try out a nonmalicious code. If the page tells you your phone is vulnerable, download and install McAfee’s Dialer Protection app from Google Play.

Android Malware and Exploits

Google introduced an interesting security service, Bouncer, for its app market (Google Play). The company left out details on implementation or what exactly will prevent bad apps from entering the market. While this sounds like a good step to make it more difficult for attackers, this move also makes it much more difficult for security researchers to defend against those same bad guys. Security through obscurity doesn’t work and is only a delaying tactic.

Charlie Miller and Jon Oberheide presented their findings on Bouncer at SummerCon earlier this year. And they weren’t the only ones looking at Bouncer: Researchers Nicholas Percoco and Sean Schulte have also thrown their hats in the ring. They’ll present methods that their proof-of-concept (PoC) Android app used to bypass the security checks put in place with Bouncer.

The Android file format DEX hasn’t received as much attention as the portable executable (PE) format on Windows, though DEX serves a similar purpose. Malware researcher Tim Strazerre will fix that oversight when he presents his research on DEX and the tricks one can play with it to bypass the common tools that we use to analyze Android malware. While he presents PoC DEX files that crash or otherwise render our analysis tools useless, he will also provide a deep dive into the format and give out pointers and advice on robustly fixing flaws in those same tools. If your work involves dealing with Android malware, Strazerre’s talk is a can’t-miss event.

Mobile security researcher Bob Pan, owner of the dex2jar project, will present a PoC file infector for APK files. This will most likely involve injecting code into the classes.dex file in a legitimate APK and re-signing the APK with the attacker’s key. This is already possible manually and has been demonstrated in malware families such as Android/DrdDream. What we haven’t seen yet is an automated infection method or tool in the wild.

iOS Threats and Security

Apple’s iOS has been getting progressively more secure with each new update, closing holes and adding preventive measures. We’ll hear about improvements in platform security from the manger of Apple’s Platform Security Team.

Researcher Jonathan Zdziarski–a well-known name in jailbreaking, forensics, and security–will put on an iOS app hacking workshop. It looks like he’ll cover how attackers can obtain our private data and financial information from the embrace of our apps.

Stefan ‘ionic’ Esser, developer of address-space layout randomization for jailbroken iOS devices, will present on advanced heap exploitation on iOS. He’ll show a technique to control kernel memory and execute arbitrary code. Because this is in the kernel, memory and other security protections can be bypassed by skilled attackers. Will this result in easier jailbreaks or aid in the development of better iOS rootkits?

Mobile Hardware Exploitation

Other talks will involve OS specifics. Researchers Stephen Ridley and Stephen Lawler bring their experience on attacking ARM processor-based devices. They will cover the research process that enabled them to create their two-day ARM exploitation training. They will attack Linux-based devices and build a test lab of devices.

Sometimes attackers don’t want to restrict themselves to one OS. The Smartphone Pen Test Framework (SPF) makes Android and Apple iOS devices into targets of a penetration test. Previously when we wrote “pen test” and “smartphone” in the same sentence, it meant that someone was exploiting a PC from a phone. Now it’s the other way around.  The framework’s creator Georgia Weidman, an innovator in offensive security research on smartphones, will demonstrate the DARPA Cyber Fast Track-funded project throughout the week. The SPF tests for jailbroken or rooted phones and other security vulnerabilities.

The Smartphone Pen Test Framework can connect to an agent on the phone to execute further attacks.

Attacking the OS and application processor are the two most common attacks on smartphones. Researcher Ralf-Phillip Weinmann will remind us that the baseband processor, which controls the phone’s radio and access to the mobile phone network, is still susceptible to attack. His previous demonstrations involved using a fake base station, but the current attack appears to require only a standard network connection to succeed.

Researcher Ang Cui ,who convinced us that attackers really can harm our printers, is back with a framework to help protect us from bad firmware. His FRAK, Firmware Reverse Analysis Konsole, provides security researchers with a toolkit that eases the search for vulnerabilities.

Near-field communications (NFC) hardware and security has been getting coverage in the press lately. We’ve talked about how attackers can use fuzzing to find vulnerabilities; now Charlie Miller, a researcher who has successfully used fuzzing to find holes in Android and iOS, returns with new attacks on NFC-enabled hardware. At first glance the attacks don’t go after the payment portions of NFC capabilities, but Miller has apparently managed to take over every other aspect of the devices.

Researcher Collin Mulliner isn’t sitting on the sideline. Having previously worked on SMS fuzzing with Miller and NFC fuzzing independently, he continues with his research into mobile carrier networks. Normally it’s difficult to find out what lives on a mobile carrier’s network, yet Mulliner will provide details on exploring cellular networks the way we do most other Internet-connected networks.

Microcells (or femtocells) are tiny cell towers that use your home network to increase the range of your moble phone. Marketed as a way to increase reception within residences, they dial home to your mobile carrier for billing and establishing a connection. All good things, but perhaps they aren’t as secure as we think. Researcher Mathew Rowley will show how he reverse-engineered a modern microcell.

Network forensics are useful for discovering new attacks and communication from malware. Mobile network forensics hasn’t yet received as much attention. Researcher Eric Fulton will rectify that with his workshop showing what real mobile malware and botnets look like over the network.

Wealth of Mobile Talks

There are more mobile talks than anyone has time to attend at the three conferences. This may be the year that mobile security receives as much attention as that on other platforms.

A Samsung Galaxy SIII will be given to every athlete competing at the 2012 Summer Olympics in London.

When we last looked at NFC phones and similar apps, there were questions of whether an attacker could go after the apps or the phone hardware and the Android OS. Since then we have seen a PIN-reset vulnerability that allowed an attacker to use the free prepaid card and the ability to crack PINs on the phone. Google updated the Wallet app to fix those vulnerabilities and make attacks much harder. Now attackers would need to go after the hardware itself, though this does not necessarily involve going after the Secure Element portion. One can get excellent results by targeting the OS and its NFC-handling libraries.

Fuzzing the hardware, which involves feeding corrupt or damaged data to an app to discover vulnerabilities, is a good first step. Researchers Charlie Miller and Collin Mulliner fuzzed SMS messages to great effect to discover exploitable vulnerabilities on Android and iOS phones a few years back. Mulliner has also looked at fuzzing NFC tags, going as far as developing a Python library and framework for testing older devices. Recently he updated his software to measure Android devices, allowing him to inject crafted NFC tags to a phone and then monitor the results. He can programmatically feed crafted or damaged NFC tags to Android’s library and then capture any crashes or code-execution opportunities.

Collin Mulliner’s NFC library can be used in fuzzing Android phones. This is very useful for discovering new vulnerabilities.

The Samsung Galaxy SIII goes on sale in North America and wordlwide within the first two weeks of July. An attacker wishing to target the device can purchase one easily and use Mulliner’s research to help find vulnerabilities and eventually develop exploits to steal a victim’s credit card. The large number of readers at the Olympics will provide places where a successful attacker can use stolen credentials to make purchases. The Olympics will also provide a concentrated pool of targets (people and phones) to pilfer from–especially if everyone is busy watching who wins the medals and not worrying about where his or her phone is.

Square's credit card readers recently added encryption for credit card data.

Security researchers have already tested Square’s credit card readers, using exploits and keyloggers to intercept credit card numbers as they pass to their mobile phones. Square has now added encryption to new versions of its credit card reader. Does that mean that they’re completely secure? Not necessarily. Security researcher Adam Laurie is taking a closer look. Laurie has a large amount of experience in reverse-engineering embedded systems and RFID hardware. His research includes finding vulnerabilities in hotel room safes, RFID passports, and chip and PIN credit cards. As word of the new, more secure Square readers arrived, he posted an open request on Twitter. This can only be good for the security of the mobile payment system.

Researcher Adam Laurie requests one of the new encrypted Square readers from his Twitter followers.

NFC-enabled contactless (“tap and pay”) credit cards are also at risk from an attacker with a specially crafted app and NFC-enabled mobile phone. Researchers at viaForensics have demonstrated a PoC NFC reader Android app that can grab the information on your credit card just by placing the phone nearby. An attacker can walk through a crowd and collect numbers and expiration dates from numerous victims. The CVV2 and other card verification numbers aren’t included, so it is more difficult for a criminal to resell stolen credit card information. Generally the CVV2 number, printed on the back of credit cards, is used to verify that online transactions are being made by someone who has the actual card. Most online shopping sites won’t allow a purchase if the customer doesn’t have that number. However, this didn’t stop viaForensics’ partner, the UK’s Channel 4 News, from being able to use this minimal card information on a popular online shopping site.

These latest phone enhancements have inspired an increasing interest in mobile payment security from both the bad guys and security researchers.