Is NFC Still a Vulnerable Technology?

Near Field Communication (NFC) or Near Field Confidence?

NFC or Near Field Communication is a standard that defines the exchange of data between two devices in close proximity.  For NFC enabled smartphones, that means consumers can replace their credit and debit cards with an electronic wallet.  Besides payment transactions, the technology has a wide variety of applications that it’s suitable for:

  • Access: Electronic identity & Physical Access control
  • Transactions: Store Transportation passes, Electronic Payments
  • Information: Store Personal information, View Product information, Receive discounts, Swap Media

How Vulnerable is the Technology?

NFC is inherently secure for mobile payment since transactions can only take place within roughly 4 cms, making it uncomfortably close for an attacker to ‘skim’ information. And since the NFC chip has to be queried by a reader, any encrypted credit card information stored on your smartphone can only be accessible when it’s activated at an NFC POS terminal or similar device.  A strong password protected phone will add an extra layer of protection to prevent unwanted access of a stolen device to further protect sensitive credit card or other personal data.

NFC Hacked

But wait, if you have six months of free time to debunk these NFC factoids, you may discover otherwise.  That’s just what someone did with a few NFC enabled smartphones to test out the security of the technology.  At a 2012 BlackHat conference, a researcher presented his findings on how he painstakingly hacked the devices to take advantage of a variety of exploits.  With the appropriate know-how, NFC can be manipulated too; launch a browser to link to a malicious website, download malware, upload personal info, make unwanted calls or even send SMS messages.  Pretty impressive huh?  And what about the concept of card skimming?  Imagine an NFC tag discretely placed at a point-of-sale terminal to quietly collect credit card information with some NFC skimming technology. Ouch!

What’s Taking So Long?

The slow adoption of NFC technology is being impacted by a few big barriers (lack of industry coordination / standardization, lack of infrastructure to support NFC) that will give smartphone providers some extra time to address these technology vulnerabilities (let’s hope that’s the case).

While retailers may be feeling consumer pressure to deploy NFC payments and other applications, a mis-step with the technology can have a huge impact not only on its adoption but also on the erosion of customer satisfaction, loyalty and retention. A bigger ouch!

Share this Article:
Tim Appleby

Security Strategist for Retail Industry, IBM Security

Tim Appleby is a member of the Strategy and Planning team in IBM's new Security division. In his role as a Security Strategist for Retail, he provides insights on the latest retail security trends and IBM offerings that address a retailers concerns. In addition, he is the liaison for industry CISO’s participating on the IBM Security Board of Advisors and the focal point for IBM on the PCI DSS standards committee. Prior to joining IBM in 2001, Tim worked in an e-Business start-up as a product manager for a mobility initiative and also designed / developed surgical products for 14 years in the medical device industry. Tim’s 27 years of experience crosses many areas of expertise.