Europe’s law enforcement agency, Europol has warned that Android phones may have been used to access sensitive data tied to Google’s Tap and Go service. It has been reported that criminals have managed to compromise NFC transactions, allowing them to carry out fraudulent payments. Users who deactivate their cards are still at risk, as this process does not always stop thieves from using them.
The warning came amidst Europol’s annual Internet Organised Crime Threat Assessment report. According to the BBC, officials have stated that they are unsure exactly how criminals have managed to use Android Phones to exploit users credit cards. Europol has proposed one scenario that could be possible. "Several vendors in the dark net offer software that uploads compromised card data on to Android phones in order to make payments at any stores accepting NFC payments”. At this point, officials are unsure whether criminals are exploiting customized apps, or whether it is directly tied to Android Pay.
The reason Android Tap & Go is the suspected culprit is because Apple does not support third parties hooking into the devices NFC chip, whereas Google allows for this. Officials have stated that they are unsure how to assist businesses if they suspect a payment is fraudulent. Originally, the protocol instructed immediate confiscation of suspected compromised cards. However, smart wallets are totally dependent on a customer’s mobile for purchases. As such, Europol and law enforcement officials have called for manufactures of smartphones and touchless payment terminals to “take action to design out security flaws”.