A security loophole has been found in Android that potentially puts your credit card details at risk through NFC, and yes, it displays your card number in plain sight! Google says it’s preparing a fix for the issue that was discovered over on GitHub by MrTiz.
By using an NFC device called the Flipper Zero, he was able to use a combination of tapping the phone to it and messing with the screen pinning function on Android 5.0 to achieve this. You can see the process in the video below. It’s actually pretty wild to see this step-by-step.
If you’ve got Screen Pinning turned on, along with the settings “Ask for PIN before unpinning” and “Require device unlock for NFC,” as well as NFC itself, there’s a window of vulnerability, especially if Google Wallet is storing your credit or debit card for in-store NFC payments.
Now, if someone malicious with one of these NFC tools in their pocket got close enough to a locked Android phone, they could potentially access your full credit card information! Luckily, they can’t make a transaction with it as most require a pin code or the chip to be physically present these days, but it’s still something I’m sure you’d prefer no one has!
Google’s taken note and classified the issue as “high” priority. It says a fix is set to roll out as part of the September 2023 security patch, targeting Android versions 11, 12, and 13. Until then, just disable Pinning in your device settings by going to Security & Privacy > More security & privacy > App Pinning.