Near-field communication (NFC) is the short-range communication method that seems to be the next big thing for mobile. This technology allows devices to connect with each other when in close proximity, giving them the ability to transmit data easily.

Users with smartphones such as the iPhone 6 and flagship Android devices have this technology available. With the arrival of Google Wallet, Android Pay and Apple Pay, NFC technology allows users to pay at the retail counter via their devices. More and more retailers are responding with NFC readers to help streamline the mobile checkout process.

Understanding the Risks of Near-Field Communication

Being a security guy, I can’t say that it’s all rosy in terms of security- and privacy-related risks. Although an attacker could conceivably reprogram NFC smart tags to embed malware, there are no simple exploits currently published, at least that I’m aware of. The technology also has physical security on its side — i.e., its direction sensitivity and the need for close proximity before communication between devices can be established.

That said, there are some variables associated with NFC implementations. Stolen phones aside, general considerations that you need to be thinking about include questions such as:

  • Is data being encrypted before it’s transmitted? The mainstream NFC apps encrypt data in transit, but what about other niche solutions you might be using? How are the vendors dealing with that?
  • How is data handled once it’s received? Is it via your normal channels, or do you have alternate paths for processing and storage?
  • Does this data fall under the umbrella of existing compliance regulations and your own privacy policy? Are customers aware of this?
  • How is information being shared once collected? Typical point-of-sale cardholder data is one thing. But how is consumer behavior being tracked or perhaps even monitored in real time? This has opportunities for big data analytics written all over it — along with big-time privacy concerns. What’s the business vision surrounding this issue? And are customers aware of what you intend to do with their information?

Smartphone users can also use NFC to transmit data between phones and read NFC tags — both of which arguably have their own security and privacy concerns. While these aren’t issues many everyday customers may be considering, they’re still concepts that enterprises need to address before implementing NFC and beginning to collect and store sensitive data.

It Pays to Ask Questions

Technologies such as NFC are introducing new challenges for enterprises and consumers alike. If your business operates in the retail industry, it’s good to be thinking about how NFC can be exploited in your environment and how information obtained via NFC is handled, stored and retained as part of your business workflows. If anything, it’s yet another data entry/exit point that needs to be brought into the fold of your information security and privacy controls.

Furthermore, if you’re like me and a bit paranoid about all of this data collection, how you’re being tracked by outside companies and how it might be used against you in the future, it’s worthwhile to pay attention to this stuff. Near-field communication is only going to grow, and addressing key issues on the ground floor could prevent a lot of headaches — or reputation-shattering data breaches — in the future.

More from Software Vulnerabilities

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today