Central to every contactless mobile action is a little microchip and radio antenna conducting the tap-and-go operation that is near field communication (NFC). NFC encryption technology is transforming the way users access information, make payments, and share data across devices.
What is NFC?
NFC is a system of contactless communication that enables data sharing between devices like smartphones, tablets, and laptops. With NFC, a user can gesture their phone towards an enabled device and share information without manually establishing a connection. With its speed and convenience, the technology has already become mainstream.
How it Works
It’s easy to assume that NFC operation is an extension of Wi-Fi or Bluetooth technology. All three systems support wireless communication and data transfer, but NFC operates using electromagnetic fields whereas Wi-Fi and Bluetooth use radio transmissions.
NFC extends from radio-frequency identification (RFID) technology. RFID is often used for inventory and material management, attendance tracking, as well as security access control. While the basic principles of each technology are incredibly similar, NFC operation is limited to a close proximity radius. Most users consider NFC’s proximity control to be a significant security asset given the considerable role it plays in mobile payment.
There are two types of NFC devices: active and passive. Passive devices like smart posters, merchandise beacons, and contactless POS terminals can hold information for active devices to read, but cannot access external information itself. Active devices are able to send radiofrequency currents that interact and collect data from other enabled hosts.
More Than a Digital Wallet
While mobile payments may be the easiest way to understand NFC, the technology can be applied to more than tap-and-go purchases.
NFC introduces a more complex environment for interactive marketing. With NFC, marketers can target consumers more efficiently by collecting real-time data to deliver personalized content. This technology will make it easier to evaluate and promote loyalty programs and eliminate the need to collect multiple rewards cards. Passive hosts are already starting to pop up on advertisements, signs, and merchandise.
The real estate market is a prime example of how NFC can dramatically improve customer engagement. Including NFC tags on real estate, signs or listings can benefit a buyer in a number of ways. Obviously, an agent can provide details about the property, but they can also offer photos, floorplans, virtual tours, and other listings based on the buyer’s desired criteria. This method of communication has the potential to create in-depth and valuable connections between brands and their mobile consumers.
Security Concerns
While there are a number of NFC applications providing significant value to the user, for many, security remains a big point of concern.
Consumers want to ensure that their data – and their money – is safe. Merchants want their systems and customers protected. The same goes for banks and credit card issuers. The more secure the transaction is, the better it is for all parties involved.
These concerns aren’t invalid – with any type of electronic transaction, there is always an element of risk, and NFC-based mobile payments are no different. As is true of any burgeoning technology, new mobile payment methods will introduce new threats.
But how severe is the potential risk?
Eavesdropping
This is when someone “listens in” on the transaction. Via eavesdropping, information can be intercepted and obtained by a malicious party.
However, the very nature of NFC inherently limits this risk. Since the devices must be in very close range (within 4 cm) to send signals, it is much more difficult to intercept these signals. Furthermore, when a secure channel is established – as is the case with NFC-based mobile payments – the data is encrypted and only an authorized device (like the POS terminal) can decrypt it.
Additionally, the NFC chips in devices aren’t always active. When your phone is locked and not in use, the NFC device isn’t actively sending any data. It doesn’t become active until you want it to, for example when you are checking out at a store using a contactless terminal. This means that on top of somebody being very close to you, they would also have to be extremely lucky in order to intercept your signal.
Data Manipulation
This is when there is an attempt to manipulate or corrupt the NFC transmission data communication. Data manipulation risk can be significantly reduced with the use of secure channels, and some devices have the ability to listen for and prevent data corruption attacks.
Interception Attacks
These are when an outside party tries to take advantage of active-passive modes of the device to send and receive NFC transmission data.
Relay Attacks
While difficult, there is a concern over the possibility of relay attacks. Theoretically, an attacker could leverage relay software and a card emulator. In fact, this was proven as a threat when researcher Michael Roland was able to complete a live payment transaction on an earlier version of the Google Wallet using this method. The issue has since been resolved by Google.
Device Theft
Another concern that has surfaced is with device theft – if someone has access to the device, any encryption is rendered useless. In theory, the person in possession of the phone can use it to make purchases at any NFC-enabled point-of-sale terminal that accepts payment via mobile wallet.
However, this threat can be mitigated using simple steps on the part of the device owner, such as ensuring their phone has an access passcode. Additionally, ensuring that a lost phone isn’t used for such purchases is essentially as easy as canceling the credit card or an associated account. In such cases, Android users can access Android Device Manager to remove financial details and Apple users can erase information with the “Find My Phone” feature.
Finally, many devices have another step of verification – such as the fingerprint scan for Apple Pay – that significantly limits the risk of anybody but the device owner using it to complete mobile payments.
Security Measures
Security concerns aren’t exclusive to mobile payments, but also a number of other potential and realized NFC applications. However, there has been quite a lot done to ensure that mobile payments via NFC, in particular, are safe for all interested parties, including merchants and consumers. We’ll go over a number of these security measures, both inherent in the technology and created to add a higher degree of protection.
Proximity
Many proponents point out that by virtue of the proximal nature of NFC (devices must be within 4 cm to communicate), attacks are more difficult to execute. As discussed above, many attacks that may be a problem for other types of data transfer, while still possible, would require the attacker to be very close to the devices that are communicating with one another in order to work.
Secure Element
NFC payments have traditionally worked via the secure element – a chip containing sensitive information like account information that is tamper-resistant. With mobile payments, the secure element is typically stored within the device, which communicates with the NFC-enabled receiver in order to complete the transaction.
Apple Pay, for example, uses the secure element within the mobile device (on a separate portion that isn’t part of the iOS), but also has added security features that include tokenization and authentication via fingerprint.
HCE
HCE, or host card emulation, emulates the physical card and stores the secure account information in the cloud, as opposed to on the device itself. Android Pay uses HCE in order to allow mobile payment transactions to be completed securely. It does use some level of tokenization, but since the payment data is stored in the cloud, the tokenization process is also cloud-based, which some believe makes it less secure.
EMVCo
EMVCo facilitates global interoperability and acceptance of secure mobile payments. The organization has been working towards defining the architecture, specifications, requirements and type approval processes for supporting EMV mobile NFC payments. These include:
- Requirements for product type approval
- Sets of basic functional requirements for mobile devices
- Cardholder verification methods
- Certification requirements such as a security evaluation for the SE holding the payment application
- Requirements for the identification of EMV application on a device
- Conformance to a reference application activation user interface (AAUI) on the device (Source: Smart Card Alliance).
NFC Mobile Payments: a Secure Choice
Despite the potential security concerns, which aren’t entirely unfounded, claiming that NFC mobile payments are insecure is untrue. In fact, digital security firm Gemalto maintains that mobile payment via NFC is as secure as payment with a plastic bank card. Ultimately, there may be barriers to the adoption of NFC-based mobile payments – technological, logistical or otherwise – but concern over security should not be one of them.
The Future of NFC
Moving forward, there is potential for NFC to replace every card in your wallet. Security concerns aside, now is the time for business to investigate possible ways to incorporate NFC into their mobile strategies. A whole world of digital communication is simply a tap away.