论文信息 - Security Analysis of Smartphone Point-of-Sale Systems

Security Analysis of Smartphone Point-of-Sale Systems

We experimentally investigate the security of several smartphone point-of-sale (POS) systems that consist of a software application combined with an audio-jack magnetic stripe reader (AMSR). The latter is a small hardware dongle that reads magnetic stripes on payment cards, (sometimes) encrypts the sensitive card data, and transmits the result to the application. Our main technical result is a complete break of a feature-rich AMSR with encryption support. We show how an arbitrary application running on the phone can permanently disable the AMSR, extract the cryptographic keys it uses to protect cardholder data, or gain the privileged access needed to upload new firmware to it.

Thomas Ristenpart | Benjamin Recht | WesLee Frisby | Benjamin Moench

[1] Steve Hanna,et al. A survey of mobile malware in the wild , 2011, SPSM '11.

[2] Hao Chen,et al. TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[3] Yajin Zhou,et al. Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[4] XiaoFeng Wang,et al. Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[5] Rui Wang,et al. How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[6] Byung-Gon Chun,et al. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[7] Gaurav Shah,et al. Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[8] Nicolas Christin,et al. All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.