Mobile Pickpocketing: Exfiltration of Sensitive Data through NFC-enabled Mobile Devices (CMU-CyLab-13-015)

With the increasing popularity of Near field communication (NFC) in consumer-off-the-shelf devices, more and more applications are taking advantage of the technology in innovative ways. Unfortunately, with the rise of NFC applications, there emerges a variety of vulnerabilities that could leave an unwitting user vulnerable to a data breach. One such potentially devastating attack is mobile pickpocketing, in which an attacker uses a standard NFC-enabled device to read, store, and transmit unprotected personally identifiable information from cards carried by unsuspecting bystanders.

In this paper, we detail the mobile pickpocketing threat, describe inherent vulnerabilities in today’s NFC landscape, and explain how easy it is for a malicious user to exploit them. We define physical and distributed models of the attack. We walk through our experience developing a mobile pickpocketing application, including the capabilities of the application on particular NFC-enabled devices. Finally, we explore short-term and long-term defenses against mobile pickpocketing attacks.