Replay Attacks Can Be Used to Compromise Your Google Pay Account

NFC (near-field communication) payments from smart phones are becoming increasingly popular, and both Android and iPhone users have…

Cameron Coward
6 years agoSecurity

NFC (near-field communication) payments from smart phones are becoming increasingly popular, and both Android and iPhone users have well-supported options. The draw of an NFC payment is obvious: you don’t need to deal with wallets and credit cards, just tap the smart phone you already have with you and you can be on your way. But, like anything with money involved, bad people want to take advantage of that to steal from you, and Salvador Mendoza has exposed how that’s possible with Google Pay.

Google Pay has replaced Android Pay has the de facto NFC payment app on Android phones. There are other proprietary options available, such as Samsung Pay, but if you have an Android phone, you most likely want to use Google Pay. Unfortunately, as Mendoza explains, there is a security flaw that could allow black hat hackers to steal your money — and Google hasn’t patched the hole yet. That’s especially glaring because this is a replay attack, which is one of the most common methods of compromising a system.

Replay attacks work well because they’re incredibly simple. At the most basic level, they work by recording communication and then replaying it to circumvent security. An analog equivalent would be using a tape recorder to record someone talking to their bank on the phone, and then calling yourself and playing it back to get through security questions. In this case, the NFC transaction is intercepted and then played back later. Google has basic precautions to avoid that, but Mendoza’s write-up proves that they’re easy enough to circumvent with a Raspberry Pi and NFC reader.

Cameron Coward
Writer for Hackster News. Proud husband and dog dad. Maker and serial hobbyist.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles