Google’s Android-based Nexus S and many upcoming mobile devices will include Near Field Communications (NFC) technology. NFC has many interesting applications. It will allow users to pay for merchandise, obtain and use electronic tickets, initiate peer-to-peer payments, and other similar transactions all with the wave of their device within a few centimeters of a reader. However, without proper protections, this technology is wrought with security concerns. In fact, a recent MasterCard survey found that 62% of Americans would be willing to use NFC-enabled devices to make purchases, but the same percentage needed assurance that their information was secure before they would be comfortable using the technology (http://newsroom.mastercard.com/2011/05/19/most-people-ready-to-make-payments-with-their-mobile-phone/).
Though all the commercials showcase the conveniences of the technology, an NFC-enabled mobile device that can simply be waved in front of a reader to initiate a transaction could easily be sniffed. Any attacker standing within up to a few meters with a strong enough reader would be able to steal users’ information and initiate transactions with their copy. So how can these security issues be solved? All of the solutions either limit the convenience of the technology or do not provide sufficient protection.
For the most basic security, a waved device should not simply initiate a transaction but instead should, at a minimum, prompt a user to click a button before allowing the transaction to go through. This way, their information can’t be read while the device is simply sitting in their pocket. However, an attacker can still read their information once they click the button because the transaction information is transmitted at this point. Also, if their device is stolen, this solution offers no protection.
Another option is to force the user to enter a pin local to their device and not known by anybody else including their bank to unlock their devices or at least their NFC applications. This would make it harder for stolen devices to be used to initiate transactions though pins are usually easily crackable. This alone would also not prevent an attacker from reading the information at the point of sale and using the copied information to initiate transactions. And it comes at the cost of lost convenience. Biometric security (i.e. fingerprint scanning) basically provides the same security level as a pin because the information isn’t encrypted and so it could still be read at the point of sale. However, it’s less crackable and slightly more convenient.
Any solution to protect against sniffing (i.e. eavesdropping), relay (i.e. man in the middle) or device theft would have to employ true authentication so that information could not easily be stolen. There are several options to accomplish this. However, all of these reduce the convenience of the technology. One method is to set up a pin with the bank. Now this pin can be used by the bank to encrypt handshaking information which could only be unencrypted with knowledge of the pin. So the bank could send a newly generated key (encrypted using the pin) to be used for encryption of the rest of the messages. All an attacker would be able to gather is the encrypted messages and so they wouldn’t be able to accomplish anything. Furthermore, a stolen device would not be usable for transactions without the pin. However, users would have to enter a pin for every single transaction to keep this technology secure. The pin could also be provided using a secondary token or device that a user would have to carry that would be connected or swiped with the primary device, but this seem even less convenient and even more prone to attacks since an attacker can just steal the secondary token information. Having information that is only known to a user and his/her bank, however, is the only way to make NFC technology truly secure.
In practice, there have been several implementations and ideas. For example, in the UK, Oyster Cards are used to pay for the subway and automatically deduct amounts from a user’s card. This system employs no protections because an Oyster Card can just be held up to a reader. One idea in practice has been to always or periodically ask a user for a pin which provides at least some level of protection. It’s not
clear, however, if this would employ the authentication and encryption method discussed above or would simply unlock the device for the transaction. The final idea that has been mentioned has been to limit the transaction amounts to a certain maximum to make it less attractive for theft. But if applications were released that could easily steal information, it’s not far-fetched to think that there would be many malicious users stealing information for some free coffee and gas! But since credit card theft occurs even now without NFC, maybe this is an acceptable level of risk. Since there have been so many rumors of NFC technology making its way into the next wave of major device releases, including the upcoming iPhone or its predecessor, it will be interesting to see what levels of security future implementations of NFC technology will employ!