How secure is NFC payment?

NFC bank card before NFC POS system in retail

In order to pay via NFC, you simply have to hold your NFC-enabled smartphone or NFC credit card near a POS terminal. In our article How does NFC payment work you can learn more about the different NFC payment possibilities. However, many people ask themselves several questions regarding security of the NFC payment process.

Can a criminal read my credit card information?

NFC enables transmission of data only via very short distances (1-4 cm). This way, it’s not possible to pay accidentally while passing a NFC reader at the point of sale. Nevertheless, criminals could install a mobile app to read NFC credit cards on their smartphone. By holding the smartphone near your credit card, it’s possible to read sensible payment information such as your credit card number or the expiration date of your card. It’s not possible to read the CCV number of your card by using such apps, but many online shops don’t require the indication of this number. So theoretically it’s possible to read your credit card information with an app and make online purchases. However, one has to keep in mind that NFC enables the transmission of data including your payment information only via distances of 1-4 cm. Therefore, a criminal has to come very close to your credit card in order to read your payment information successfully. You should always act with caution when a strange person comes very close. However, the most effective solution to protect your credit card information is to store your NFC credit card in a special NFC protection cover. These covers contain a shielding aluminum layer which inhibits transmission of payment information.

Learn more about possibilities to protect your NFC credit card.   

Can a stranger charge my bank account?

Only sums below 25$ can be paid via NFC without signing a receipt or entering your PIN. All purchases above 25$ require your signature or PIN as authorization. In case a criminal possesses your payment information he or she could only purchase 25$ worth of goods. In order to charge your bank account with higher sums, a criminal has to make several purchases below 25$. However, banks are informed about unusual amounts of small purchases by their security systems. Once these systems detect unusual amounts of small purchases banks inform the account holder about these purchases. Based on this information the account holder can decide to block his account.

Most wallet apps allow to enable notifications about all effected transactions. This way, you can recognize purchases by strangers quickly by yourself and don’t have to rely on the security system of your bank. Of course, you should also block your account if you detect unauthorized purchases by yourself.

Unauthorized transactions are also possible via malicious software on your smartphone. Usually people keep their smartphones next to their wallet. A smartphone with malicious software could inform a criminal about NFC credit cards within reach. The informed criminal could place his own smartphone on a POS terminal and affect via internet that actually your NFC credit card is placed on the POS terminal. However, this method doesn’t allow criminals to make purchases above 25$ either. Again, your bank will be informed by its security system about unusual amounts of small purchases and your account can be blocked. By installing only trustworthy apps on your smartphone you can protect yourself against such attacks most effectively.

Summarized, a stranger can charge your bank account if he or she possesses your credit card information. However, the security system of your bank will limit your losses.

Is it possible to intercept sensible payment information during the payment process?

NFC credit cards are protected by the EMV standard like normal credit cards. This standard ensures that only an encrypted version of your payment information is transmitted to POS terminals. Moreover, a new key is generated for every transaction. This way, it isn’t possible to reuse a key for another transaction. As the key can only be used once, it would be useless to intercept the key.

If you are using a wallet app to pay via NFC, your payment information is protected as well. Your payment information isn’t stored by your wallet app, because it would be easy to retrieve your information via malicious software. Instead your data is either stored on the Secure Element of your phone (Apple Pay) or on Google’s servers (Android Pay). The Secure Element is separated from the rest of your operating system, so data can’t be intercepted easily. If you’re interested in the way Apple and Google store your payment information, read our article How does NFC payment work.

Summarized:

  • Don’t let strangers come close to your wallet.
  • Keep your NFC credit card in a NFC protection cover.
  • Enable notifications about effected transactions in your wallet app.
  • Block your account if you detect unauthorized transactions.
  • Install only trustworthy apps on your smartphone.

Further information

Erstellt: 2017-02-16 / Aktualisiert: 2020-08-06 2017-02-16 2020-08-06