Spot.me Apple Pay to Android app can pose a security risk

For all their advertised benefits, these rising mobile payment systems are pretty much walled gardens of their own. But what if you wanted to use that fancy new wireless system to pay, not just a merchant, but a friend? There's a new app on Android that proposes to do just that and it even lets Apple Pay users join the game. But while Spot.me sounds like a really neat and social thing, it might actually be more trouble than it's worth from a security point of view.

The way Spot.me works is almost genius in its simplicity. It uses NFC to make the transactions and it also supports the iPhone's single-minded chip. Simply tap together an iPhone and an Android smartphone with Spot.me running and the deal is done. The Android device receives a transaction token from the iPhone that it can later use to pay for something using the usual NFC-based terminals. It even works with Google Wallet. The idea is that Spot.me can be used to, say, pay for a friend's coffee or pay a debt the fancy hi-tech way.

All sounds innocent enough, but, as they say, the devil is in the details. First, the token doesn't need to have a pre-determined value, which would be akin to a blank check. Second, while it can be used only once and is gone forever afterwards, it has no expiry date. Which means the recipient of the token can use it any time, anywhere weeks or even months after it was given, and for any item.

Together, these two "loopholes" opens the door for abuse. As these involve credit cards, the issuer of the token might not be fully aware of the process until it's too late. There is no immediate way for the user to know that he or she is paying to a legitimate NFC terminal or a device running the Spot.me app. The token can even be passed around and it will not be possible to trace the path it took.

That said, all hope is not lost and the necessary fixes might not be as costly as it may sound at first. The flaw is being attributed to a legacy issue on the Visa app running in terminals. Although it is possible to update that app, there might be an easier way as well. The mobile payment systems can also be updated to ensure that it covers these scenarios so that there can be very little room to wiggle in and abuse.

VIA: NFC World