Android users who aren’t tempted enough to upgrade to the latest Samsung phone but still wish to swiftly pay through apps like Apple Pay can now do so with Spot.me app and a little help from their iPhone savvy friends.
Spot.me lets users capture an NFC payment transaction token from another device and even lets them hold onto it for later use.
For the iPhone user, the transaction is just like paying at any NFC-enabled terminal using Apple Pay and fingerprint security, except the NFC POS is replaced with an Android phone, which captures the transaction token.
The captured token can be used by the Android user at any contactless payment terminal just like any ordinary contactless transaction at a POS terminal – for any value, since the tokens do not carry a pre-defined value.
The app authors, NFC World reported, developed the app for benign use among the user’s circle-of-trust. However, if for some reason the token falls into the wrong hands, it might lead to fraudulent charges.
"Imagine you’re at a yard sale and you buy something. You’re presented with a device to pay with NFC. How do you know that’s a legitimate terminal, and not an app similar to this?” an industry source told NFC World. “Your token could be across the nation and paying for something in a big box store before you got home. We call it the tokin’ bug, because you can pass it around."
On the bright side, tokenization expert Doug Yeager, CEO, SimplyTapp told NFC World, the problem can be fixed on the token issuer side to prevent a relay attack without replacing the readers.
"Basically, it’s the Visa reader software. That’s where the hole is,” he said. “But there are mobile device side fixes to get around it."