Everyone in London is gearing up for the London 2012 Olympics which start later this month (July 27), with many having half a thought on the possible benefits that will accrue to the city from staging the event. While most observers will be arguing about the possible economic gains (or otherwise) from the Olympics, a small group of mobile industry specialists will be worrying about a different kind of legacy.

Visa will be testing its PayWave app at the Olympics on NFC-enabled Samsung Galaxy S III handsets and already concerns have been expressed that the high-profile trial will act as a draw for eager fraudsters. In fact, every athlete competing in the games will be issued with one of the Samsung handsets powered by the Visa app so that they can make payments at more than 3,000 point-of-sale terminals across the Olympic (and Paralympic) venues.

In a blog Jimmy Shah, a mobile security research with McAfee, writes about how attackers could target the handset’s OS and NFC-handling libraries by “fuzzing” the hardware, a process which involves sending corrupt or damaged data to the payment app to find out its vulnerabilities.

However, following up via email with Shah, he says fuzzing alone is not sufficient to penetrate a handset’s defences; it’s just the first step. An attacker would in addition use specially designed NFC tags to crash the app on a handset and so find its vulnerabilities. Having found the vulnerability, the fraudster then needs to develop the means to carry out an actual attack and steal a user’s credit card details. Shah acknowledges the entire process costs criminals both time and money but says they will be prepared to accept the expense to gain access to NFC smartphones and a network of contactless card readers.

The Samsung Galaxy S III is already available in the UK (minus the Visa app) for non-Olympians which means attackers can acquire one to find vulnerabilities.  And the NFC point-of-sale terminals set up for the Olympics will provide the outlet for the fraudsters to make transactions using any stolen credit card details. 

Of course this is not the first time that security concerns have been raised about NFC handsets (a Wall Street Journal story from the other day reported that it was one of the reasons for Apple having not launched mobile payments to date).

Back in February security firm Zvelo revealed how it cracked the four-digit PIN on the Google Wallet app which runs on NFC handsets. The firm recommended that Google shift PIN verification from the handset to the handset’s secure element. In fairness the company pointed out that Zvelo had rooted its own handset to disable security settings before breaking the passcode. Google said users would not normally be at risk (unless they started rooting their own handset).

Shortly after another revelation surfaced about how a lost or stolen handset running Google Wallet could have its passcode reset (if existing data is cleared from the app then it resets itself and asks for a new passcode).

Bear in mind security fears are often expressed ahead of major events where some piece of new technology is being exposed to scrutiny and public attention. That doesn’t mean such fears are not justified of course. Mind you, security firms have been known to cry wolf on the security risk to mobile phone users when little actual threat has ever materialised (I’m not saying that’s the case with you, Jimmy), so some sense of perspective should prevail here. The risk might well be less substantive than emotional. What I mean by that is a single, high-profile instance of a smartphone being hacked during the Olympics might have a greater effect on the public’s perception than the actual risk involved. Now there’s a legacy the mobile industry wants to avoid.

Richard Handford

The editorial views expressed in this article are solely those of the author(s) and will not necessarily reflect the views of the GSMA, its Members or Associate Members