Near-field communication (NFC) is the short-range communication method that seems to be the next big thing for mobile. This technology allows devices to connect with each other when in close proximity, giving them the ability to transmit data easily.

Users with smartphones such as the iPhone 6 and flagship Android devices have this technology available. With the arrival of Google Wallet, Android Pay and Apple Pay, NFC technology allows users to pay at the retail counter via their devices. More and more retailers are responding with NFC readers to help streamline the mobile checkout process.

Understanding the Risks of Near-Field Communication

Being a security guy, I can’t say that it’s all rosy in terms of security- and privacy-related risks. Although an attacker could conceivably reprogram NFC smart tags to embed malware, there are no simple exploits currently published, at least that I’m aware of. The technology also has physical security on its side — i.e., its direction sensitivity and the need for close proximity before communication between devices can be established.

That said, there are some variables associated with NFC implementations. Stolen phones aside, general considerations that you need to be thinking about include questions such as:

  • Is data being encrypted before it’s transmitted? The mainstream NFC apps encrypt data in transit, but what about other niche solutions you might be using? How are the vendors dealing with that?
  • How is data handled once it’s received? Is it via your normal channels, or do you have alternate paths for processing and storage?
  • Does this data fall under the umbrella of existing compliance regulations and your own privacy policy? Are customers aware of this?
  • How is information being shared once collected? Typical point-of-sale cardholder data is one thing. But how is consumer behavior being tracked or perhaps even monitored in real time? This has opportunities for big data analytics written all over it — along with big-time privacy concerns. What’s the business vision surrounding this issue? And are customers aware of what you intend to do with their information?

Smartphone users can also use NFC to transmit data between phones and read NFC tags — both of which arguably have their own security and privacy concerns. While these aren’t issues many everyday customers may be considering, they’re still concepts that enterprises need to address before implementing NFC and beginning to collect and store sensitive data.

It Pays to Ask Questions

Technologies such as NFC are introducing new challenges for enterprises and consumers alike. If your business operates in the retail industry, it’s good to be thinking about how NFC can be exploited in your environment and how information obtained via NFC is handled, stored and retained as part of your business workflows. If anything, it’s yet another data entry/exit point that needs to be brought into the fold of your information security and privacy controls.

Furthermore, if you’re like me and a bit paranoid about all of this data collection, how you’re being tracked by outside companies and how it might be used against you in the future, it’s worthwhile to pay attention to this stuff. Near-field communication is only going to grow, and addressing key issues on the ground floor could prevent a lot of headaches — or reputation-shattering data breaches — in the future.

more from Endpoint

IOCs vs. IOAs — How to Effectively Leverage Indicators

Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy. Inexperienced security […]

TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware

Malware authors use various techniques to obfuscate their code and protect against reverse engineering. Techniques such as control flow obfuscation using Obfuscator-LLVM and encryption are often observed in malware samples. This post describes a specific technique that involves what is known as metaprogramming, or more specifically template-based metaprogramming, with a particular focus on its implementation […]