Near-field communication (NFC) is the short-range communication method that seems to be the next big thing for mobile. This technology allows devices to connect with each other when in close proximity, giving them the ability to transmit data easily.

Users with smartphones such as the iPhone 6 and flagship Android devices have this technology available. With the arrival of Google Wallet, Android Pay and Apple Pay, NFC technology allows users to pay at the retail counter via their devices. More and more retailers are responding with NFC readers to help streamline the mobile checkout process.

Understanding the Risks of Near-Field Communication

Being a security guy, I can’t say that it’s all rosy in terms of security- and privacy-related risks. Although an attacker could conceivably reprogram NFC smart tags to embed malware, there are no simple exploits currently published, at least that I’m aware of. The technology also has physical security on its side — i.e., its direction sensitivity and the need for close proximity before communication between devices can be established.

That said, there are some variables associated with NFC implementations. Stolen phones aside, general considerations that you need to be thinking about include questions such as:

  • Is data being encrypted before it’s transmitted? The mainstream NFC apps encrypt data in transit, but what about other niche solutions you might be using? How are the vendors dealing with that?
  • How is data handled once it’s received? Is it via your normal channels, or do you have alternate paths for processing and storage?
  • Does this data fall under the umbrella of existing compliance regulations and your own privacy policy? Are customers aware of this?
  • How is information being shared once collected? Typical point-of-sale cardholder data is one thing. But how is consumer behavior being tracked or perhaps even monitored in real time? This has opportunities for big data analytics written all over it — along with big-time privacy concerns. What’s the business vision surrounding this issue? And are customers aware of what you intend to do with their information?

Smartphone users can also use NFC to transmit data between phones and read NFC tags — both of which arguably have their own security and privacy concerns. While these aren’t issues many everyday customers may be considering, they’re still concepts that enterprises need to address before implementing NFC and beginning to collect and store sensitive data.

It Pays to Ask Questions

Technologies such as NFC are introducing new challenges for enterprises and consumers alike. If your business operates in the retail industry, it’s good to be thinking about how NFC can be exploited in your environment and how information obtained via NFC is handled, stored and retained as part of your business workflows. If anything, it’s yet another data entry/exit point that needs to be brought into the fold of your information security and privacy controls.

Furthermore, if you’re like me and a bit paranoid about all of this data collection, how you’re being tracked by outside companies and how it might be used against you in the future, it’s worthwhile to pay attention to this stuff. Near-field communication is only going to grow, and addressing key issues on the ground floor could prevent a lot of headaches — or reputation-shattering data breaches — in the future.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…