A note on NFC security

In my previous posts regarding NFC(1, 2, 3, updates 1 & 2), I had touched briefly on security issues that could stem from NFC. In this quick post, I wanted to add some color to that issue. If you have been reading this blog, you should have a high-level view on what NFC is. From a consumer stand point, it is not very difficult to comprehend. The key for ‘NFC ubiquity’ is to make the use of NFC enabled payments as simple as using credit or debit cards. That is a challenge indeed and I shall be touching on that topic in an altogether different post.

Back to security. What are the key impediments or concerns raised thus far? Here’s list of some of them, and it covers a wide swath of risks with NFC payments.

    1. Stolen phone – Big concern for many consumers. What will happen to key data then? This is almost akin to a stolen wallet. Consumers in such an instance have the option to cancel their accounts by one phone call or email to the carrier or third party provider.
    2. Eavesdropping – Snarfing the signals that go between the phone and the reader.
    3. Unwanted activation – Third party tries to activate the payment card without the consumers knowledge.
    4. Data corruption – Changing data transmitted from NFC device potentially nullifying transactions.
    5. Data modification – Third party attacker is sending valid, but altered data to reader.
    6. Data insertion – Attacker tries to inset new data into the transmission stream.
    7. Denial of service – This is interesting. Attacker tries to disable the reader by creating an RF field around the reader and prevents the same from reading any NFC data.
    8. Man-in-the-middle attacks – Recoding the conversation between the reader and the NFC device. This is essentially tantamount to stealing someone’s identity and using it later for nefarious purposes.

    Why then, one may ask are we so interested in NFC when there are all these concerns being raised? I think the answer lies in the fact that this technology has proven itself in many scenarios especially in Korea, Japan and several countries in Europe. It is a well understood technology and great for proximity payments. Further, unlike say, Bluetooth, the NFC protocol is fast and can establish communications in a matter of milliseconds to enable fast data-transfer between the device and the reader. Success in several applications like rapid transit has demonstrated (among other things) that NFC is great for micro-payments. And this success is now being extended to larger denomination payments.

In addition to the above concerns regarding security, we have issues with authentication that are also being currently addressed. It is perceived that the PIN (Personal Identification Number) methodology may fall short and therefore biometrics is being looked at as an adjunct means for authentication. Biometrics such as fingerprint scanning or even Iris scanning is being looked at. Well, the problem here is of course cost and speed. I am not sure we are a point where we could address both these concerns. Maybe over time the cost curve will go down, while performance goes through the roof. I have had some experience with biometrics with a startup that I tried to get off the ground for an entirely different market and I can tell you that this is a compute intensive task that presents unique challenges in this market. The good thing is that the feature compare will be 1-to-1 and that will help with speeds, but in terms of implementation it’s a whole different ball game.

A lot of work is going on to create secure encoding schemes for all OTA (Over the Air) communications. This will help with protecting vital information as it flows between the NFC device and reader air-gap. One of the encoding schemes being explored is called the ‘Miller and Manchester’ coding scheme. This is a bit coding scheme that essentially records signal transitions and generates electrical pulses of varying widths based on these transitions (HI to LO or vice-versa).

Furthermore, the field is abuzz with activities based on what is called as the “Secure Element”. A catchy term eh!..much like the movie “The Sixth Element”. The Secure Element or SE is nothing but a secure area in the mobile phone memory (on board memory or micro-SD card or even the SIM card), which will contain all the elements required for a secure financial transaction. More on this later.

As one can see, there are a lot of issues that will need to be addressed in order for the FUD to dissipate from the end-consumers mind. Since this is a new technology and will conceivably change the payment paradigm, you can expect to hear a lot of messaging around NFC in the near future. Customers are going to ask the question, what benefits does this technology give me over and above the cash, credit/debit cards that I use for my everyday purchases? In the end, it will boil down to execution – how well can all the players execute. The more I go deeper into this fascinating topic of mobile payments and NFC, I am convinced that for some time there will be multiple payment systems in play and in the end the market will chose which of them is the best and that system will prevail.


This entry was posted in Mobility and tagged , , , , , , , , , . Bookmark the permalink.

One Response to A note on NFC security

  1. Pingback: Kevin Mitnick – “Mobile phones – The new hacking frontier!” | Pixel Ballads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s