Thinking of making purchases on Alipay or Samsung Pay? Think again. If you don't watch out, your payments might be hijacked during the transaction process.
That's what Chinese University researcher Zhang Kehuan found after examining an electronic component called the token, which is necessary for most mobile payment transactions.
The token can simply be "stolen in mid-air," he said.
Zhang, from the department of computer science and engineering, explained that a string of codes is used for about one minute to match up the payer's mobile device with a point-of-sale machine to authorize payment. If a mobile is infected with malware, the payment code can be copied into a criminal's phone and the payment hijacked.
The malware will also cause the phone to display an incorrect QR code to stop the transaction from being completed at the victim's end.
With the hijacked token embedded into the correct QR code, the thief can present the QR code to another point-of- sale machine and use the victim's account to make an unauthorized payment, Zhang said.
Magnetic secure transmission - a feature on the Samsung Pay service that is only available to Samsung smartphones - was also found to be vulnerable.
With this signal, users can authorize payments with their smartphones at point-of-sale machines without near field communication functionality, Zhang said. The token is embedded into the magnetic secure transmission signal.
With a make-shift antenna, the team was able to pick up and record the signal from about two meters from the victim.
The team intercepted the transaction on the victim's end with a signal jammer bought online, Zhang said. The signal was then replayed to another point-of-sale machine to make unauthorized payments.
Zhang said most defenses in mobile payment services focus on blocking "passive" attacks, such as the copying of tokens.
"When designing these payment services, they did not take into account active adversaries," he said.
But Zhang said "active" attacks - in which criminals intercept transactions before they can be completed - is an issue for Alipay and Samsung Pay.
After discovering the loopholes, the team notified relevant service providers which plugged them. But he urged people not to modify their phones' firmware to avoid malware infection.
Before using mobile payment services, people should know the risks, he said.
Other mobile payment methods involving near field communication, such as Octopus and Apple Pay, are safe from the loophole.