M-Commerce Insecurity Is Outrunning Mobile Payments

Think mobile payments are safe today because they've barely gotten off the ground? We should be so lucky. Graduate students at Indiana University have developed an ingenious technique for stealing payment-card numbers as a user is speaking or punching them into an Android-based smartphone.

The approach, which the grad students call "Soundminer," uses speech recognition, signal processing and social engineering to sneak past all the current malware protections on smartphones. And they've managed to do all this before the mobile-payments business has really gotten started.

To be fair, the Indiana grad students also make suggestions for how smartphone makers can lock down their phones to avoid these types of problems. But it's frustrating to realize that while banks, card processors and smartphone vendors are deadlocked as they dither about who will get what piece of the action in mobile payments, others are taking smartphones seriously as tools for stealing payment-card information. At this rate, thieves will be highly experienced in stealing card numbers from smartphones long before the payments industry finally decides on divvying up the money and gets around to looking at security.

Actually, Soundminer is designed to do something much harder than hacking into the types of mobile-payments applications we've already seen. It keeps track of what phone numbers have been dialed, so it knows when the smartphone user has called a bank or credit-card company. Then it uses speech recognition to verify that the user has entered the interactive voice response (IVR) system.

When the IVR instructs the user to speak or punch in the payment-card number, just that much is recorded through the phone's microphone. (The microphone shouldn't be able to capture the touch-tones when a number is punched in, but the students discovered that's possible after all.)

Then the card number is converted to a short string of digits (either using speech recognition or signal processing). That string can be passed to a companion piece of malware one bit at a time, through techniques such as sending the operating system signals to turn the smartphone screen off and on rapidly. It's too quick for the screen to actually react, but just slow enough that the other malware can get the message and then send the card number out to the Internet.

Yes, it sounds like a kludgy, Rube-Goldbergian way to steal payment-card information. But that's the level of ingenuity that's already being aimed at smartphone thievery. By the time contactless payments finally get a foothold, thieves will have years of experience on smartphones. And compared to Soundminer, simply infecting a phone with malware that eavesdrops on a single mobile-payments application to steal card numbers will be a piece of cake.