How secure is NFC?
Meanwhile, the NFC technology is used in several services and applications. Nevertheless, many people are concerned about the security of data transmission via NFC especially when it comes to the use of payment services like Google Wallet. Therefore, this article aims to explain data and transmission security of the NFC technology based on three examples. The central questions answered are: Is paying via NFC secure? Can I read NFC tags by strangers without concerns? Are data stored on NFC tags secure?
NFC chip inside your smartphone
The NFC chip inside your smartphone is constructed in a way that the chip isn’t able to access other data on your device. This means, it’s not possible that a NFC chip autonomously receives data from your phone and sends them to other parties. Many people also think that people could read sensible data on smartphones by scanning the built-in chip while passing by. However, as data on the chip is strictly separated from other data on your smartphone, this isn’t possible either.
Nevertheless, infected software on your smartphone is always a security risk. In case your phone is infected with a virus, data on the built-in NFC chip could be partially read. However, many people overestimate the reach of NFC. In order to read a NFC chip, one has to hold a NFC reader very close to the chip (at least 10 cm). This means, though it’s possible to read data from an infected smartphone’s NFC chip, it’s still difficult to come close enough with a NFC reader. The limited reach is one of the main differences to RFID which is another data transmission standard people often mix up with NFC. Moreover, the NFC function is deactivated when the smartphone is locked. As most people lock their smartphones while carrying them around, it’s very unlikely that a criminal could read data on the NFC chip when passing by.
Contactless payments via NFC
NFC payments underlie similar security mechanism as classic credit card payments. Due to the CVC3 coding an even higher security standard is applied to NFC payments in comparison to credit card payments. The NFC payment process is synchronized between the NFC-enabled POS terminal and NFC chip inside the smartphone. The synchronization ensures that both devices process the same transaction. This way, it’s not possible to copy payment data and use them for later transactions (skimming). In case payment data are copied they are useless for transactions in the future. Furthermore, higher amounts (usually about 25 $) require an additional PIN entry.
Contactless payments via NFC aren’t only possible via smartphone, since NFC credit cards contain also more often NFC chips. As especially paying via NFC raises many questions, we answer questions about the security of NFC payments in another article.
Reading NFC tags – always secure?
On the hacker conference “Blackhat” in 2012, Charlie Miller drew attention to a security issue of NFC-enabled smartphones. He explained that he was able to take over various Android and Nokia smartphones via NFC. However, this was only half the truth as the major problems were software weaknesses and not the NFC technology.
In the case of Android the takeover worked as follows: A website was opened by scanning a modified NFC tag. This website exploited a software weakness in the Webkit Browser (until Android 4.0.1). This weakness enabled Charlie Miller to take over the smartphone. In the case of Nokia, Miller exploited a weakness in an application which displays data and pictures transmitted via NFC. He was able to take over the device via a Buffer Overflow.
Both cases show that the security breaches aren’t part of the NFC technology itself, but were caused by software weaknesses. For example, the takeover of the Android Phones would have also been possible via QR codes or a simple link in an email. Nevertheless, you should only scan NFC tags by people or companies you trust.
Data security on NFC tags
In case you encode your own NFC tags, you might wonder if storing data on NFC tags is secure. To keep it short: Security-related or personal data shouldn’t be stored unencrypted on NFC tags. The NFC technology was developed to allow for quick and easy access to data on NFC. This means: As soon as a person scans your unencrypted NFC tag this person has access to the stored data. If not, this would defeat the whole purpose of NFC tags.
However, users often store personal data such as contact information on NFC tags. For this use case, we offer the web portal NFC-Cloud, which allows to change the visibility of certain data on your NFC tags. All data set to invisible via NFC-Cloud are still stored on the NFC tag, but can’t be read by scanning. Moreover, we offer special NFC protection covers which prevent NFC cards from unauthorized scanning. A built-in aluminum layer ensures that, for instance, data on your NFC-enabled credit cards can’t be read by criminals.
Conclusion
On the one hand, we can’t promise 100 % security of NFC, but on the other hand we don’t know any technology which is completely secure. However, especially in comparison to other data transmission standards NFC is quite secure. When it comes to security of technologies, the user is often the most important factor: Only install trustworthy apps on your smartphone and inform yourself about security breaches and updates of your operating system regularly.