NFC Exploits in Android & Nokia Smartphones

Security expert Charlie Miller has exploited and demonstrated an NFC attack on Android and Nokia devices at the 2012 Black Hat security conference. Weeks ago I read that Miller, who has become well known for his hacking ability when it comes to Apple products, was planning on demonstrating a vulnerability with NFC technology. He showed how NFC tags can be used to trick people into visiting malicious site without them even knowing. A hacker could carry out an attack like this just by replacing an NFC tag that is meant for say a companies website, and putting an NFC tag that will guide the person to another website.

Miller said in the Nokia N9, which is a Mee-Go powered headset, the NFC vulnerability is when NFC is enabled on the device, it will, by default, accept any NFC request without user permission. Miller was able to exploit this and establish a bluetooth connection even if bluetooth was not turned on, and essentially a hacker can use this to make phone calls, send text messages and even download data.

Miller showed how once directed to a malicious website, he could download and install a virus to attack a security hole in the Android browser to read cookies and view the webpages visited by the user. Miller says that is can ultimately give a hacker complete control over a victims headset. Though this vulnerability has been closed off in Android 4.0 but can affect users running Android 2.3 Gingerbread which is over 60% of users. Also Miller acknowledged this can only be exploited if an attacker was able to get within a few centimeters of affected devices.


Two Criminals Sentenced to Prison in Michaels Stores Scam

The two criminals Eduard Arakelyan, 21, and Arman Vardanyan, 23, who stole 94,000 debt and credit card numbers from 84 Michaels Stores Inc. locations have been sentenced to federal prison.

They were charged with conspiracy to commit bank fraud, bank fraud and aggravated identity theft. On March 20, 2012 both plead guilty to the scheme to steal customers card information by removing the personal identification number pads and replacing them with fraudulent ones which downloaded the customers’ card information which the criminals received and used fraudulently.

Around July 2011, they admitted they both used 952 blank Gold and Silver credit card-like cards that had been encoded with bank and personal identification stolen from Michaels Stores customers to withdraw as much money as possible from ATM’s in Northern California.

On July 24, 2012, Arakelyan and Vardanyan were each sentenced yesterday to serve:

•36 months in prison on bank fraud and conspiracy charges,
•24 months in prison for the identity theft charge (to be serve consecutively with the prior 36 months)

•5 years of supervised release after serving their prison time.

The two were also ordered to pay $42,043 in restitution.