The roll-out of Near Field Communication (NFC) on smartphones will revolutionize the payments of small amounts, which account for the majority of retail purchases. As most consumers carry their smartphone on them at all times, NFC is a convenient, simple and quick payment method for transactions of a few dollars. However, the ease with which payments can be made by swiping the smartphone on the reader in a retail store leads many consumers to question the level of security involved. Is NFC secure?
NFC – A technology with multiple uses
NFC is a technology with multiple uses, such as:
– Payments for low cost items in a retail store
– Sharing information with friends or colleagues, such as business card data, by touching smartphones
– Proof of payment for a subway or concert, in lieu of a printed ticket
– An access device for example, getting into the office, clocking in and out of work
– Unlocking your car
– A replacement for barcodes when shopping
How does the technology work?
NFC is a contactless technology used to transmit information. It is a form of Radio Frequency Identification (RFID), where a chip in the NFC-enabled smartphone generates an electromagnetic field. This field can then be used to communicate with a reader, or a tag on a poster or shelf, or to another NFC-enabled smartphone. By embedding an NFC chip inside a smartphone, users can store their credit card information on a virtual wallet and make payments for transactions by swiping their phone over the NFC reader in the retail store.
The radio communication generated by NFC can be received over a short range of only a few centimetres. The smartphone requires an NFC chip and antenna. It is an extension of the technology that has already been in use for a number of years such as for public transport payments via smartcard.
NFC devices may be active or passive. Active devices, for example an NFC-enabled smartphone, can send and read data. Passive devices, for example an NFC tag, contains information that other NFC devices can read, but the passive device does not read any information itself.
What are the security threats and how does NFC safeguard against these?
Intrinsically, NFC appears to many to be insecure. Simply swiping one’s smartphone to pay for a coffee or lunch, seems too easy and open to unauthorised payments. Here are some threats that spring to mind:
1. The threat of having your smartphone stolen, and then used to purchase goods
Owners of NFC-enabled smartphones should always lock their phone using the device passcode. However, what if your smartphone is stolen while it is unlocked – could it then be used to make unauthorised payments? The NFC software application on the smartphone requires it’s own PIN in order to activate a payment. The only danger then, is for the thief to have watched over your shoulder when you previously entered the NFC PIN, and to subsequently steal your smartphone while it is unlocked. This is the same threat level of using an ATM with a cash card.
2. The threat of a criminal placing an NFC receptor in close proximity to your smartphone in order to steal your funds. For example, a criminal placing a receptor near your phone while it is in your pocket and you are in a crowded elevator or subway.
Once again, this method would not succeed in stealing your money because the NFC application on your smartphone is required to be activated by you entering your PIN before it will transfer any funds.
3. The threat of intercepting the NFC signal by eavesdropping while you are undertaking a transaction and then altering the signal so that the funds are transferred elsewhere.
The threat of eavesdropping an NFC signal are almost negligible. NFC signals are extremely direction-sensitive – by turning the smartphone even at a slight angle means the signal cannot be read by the receptor. The transmitting and receiving devices need to be closely and accurately aligned before the signal is successfully completed making eavesdropping very unlikely.
4. Malware on the smartphone.
The threat of malware intercepting a transmission and then modifying or cancelling (denial of service) that transmission. The extent of this threat depends upon the nature of the software application powering the NFC feature. There are no known proof of concept malware examples of this threat currently, time will tell whether any emerge. As an added precautionary measure, sensitive information that is transmitted via NFC is encrypted, so the data would be of little use if malware was able to accomplish this attack.
If you password protect your smartphone which will safeguard it in the event of physical loss or theft of the device, keep your NFC PIN secure, then NFC-enabled smartphones will remain a convenient and secure method for small transactions, purchasing tickets, and transferring information.