Though the technology has been place for over a decade the commercial implementation of contactless payment has seen a new dimension of growth since it Apple has introduced contactless payment in iPhone 6. Near Field Communications or NFC is a set of standards for portable devices invented by Sony and NXP Semiconductors in 2002 which allows them to establish peer-to-peer radio communications, transferring data from one device to another by putting them very close together. According to the UK Card Association a total 1.2 Billion contactless payment transaction resulted in over £31 Billion changing hands.
According to ABI Research contactless card shipment is to reach 230 Millions in the US by 2021; 10 times of the number recorded in 2016 (25.7 M). The majority of these numbers is expected to be shifted to smartphone contactless payment solution.
With this new contactless technology set to become an important part of lives, there are some valid a security concerns. While the figures seemed impressive it has also drawn criminal interest in NFC technology for possible exploitation of security loopholes exactly as the attention was drawn towards e-commerce around the beginning of this century. Since the data (payment instruction, requests) transmits over a network there is genuine possibility of unauthorized interception of important information which at a immediate future is expected to be resulted in falsified transactions. Hardware devices are already available which can intercept, store or even manipulate the data in the air when kept in close proximity of the transaction. Lets have a look to the threats looming on NFC technology –
Eavesdropping is number one threat for NFC technology. The terms “Eavesdropping” refers to criminal listening of information while in transit. This allows an hacker to steal unencrypted private information which may also include the credit card details being used for the particular transaction along simple information like name and contact information.
To neutralize the threat of Eavesdropping the payment the paying mobile application and the terminal must utilize secure channels. A secure channel transmits encrypted data which can be decrypted by authorized devices only.
Interceptions attacks (also known as “man in the middle attack”) are difficult to execute but the most dangerous one in case of NFC payment transaction. In interception attacks the hacker or the ”man in the middle” intercept data in transit, manipulate it and then send it to intended recipient. So the recipient receives the information/request the hacker want instead of the actual intended piece. While the hacker is having the capacity to modify the data as he want possibilities are falsified response message to the controlling mobile app, sending out wrong account information or user details and many more. However in case of a secure channel has been deployed, the attacker will not be able to encrypt his falsified data in a way acceptable by the recipient device. However he will still reserve the ability to corrupt the data to make it unusable by the recipient device which will result in unsuccessful or incomplete transaction.
The ideal response to the threat of interception attack on NFC transaction is to set atleast one device in passive mode throughout the lifecycle of the transition. So the mobile application will need the capability to toggle the NFC status in the smart phone between active and passive mode. The moment the smartphone is dispatching information it has to be in active mode while the terminal device is set in passive mode. Once the send process is over the mobile device status is to be set back to passive mode while it wait and receive terminal response.
Otherwise for the consumers NFC might trigger additional privacy issue where the merchants might develop the technical capability to push offers or even install an adware while the smartphones are connected with their terminals. This may lead receiving unintended promotions or loosing information to third parties.
The Role of a Consumer for Secure NFC Transactions
Consumers always plays an important role in maintaining discipline in any sensitive industry specially while it is on the take of stage. NFC is no different. Here are a few small things you can do to keep your NFC transaction better secure –
- Always read the fine prints before installing an app which utilize NFC technology be it for payment transaction or anything else. Be careful what you are agreeing to share. Remember that what you are sharing with your merchant may be also available to the next man in the que.
- Keep your application up-to-date. Monitor NFC updates and install patches as soon as they become available.
- When you are not using NFC turn it off. In terms of any electronics device security it is always a good practice to turn off a network feature when not in use.
Despite of all the identified concerns so far NFC has to be considered better secure than a magnetic strip or chip n pin cards. In NFC you never need to hand over the device to the merchant which means they will never have a physical access to your mobile phone to read anything physically which is not the case for the old plastic cards.