NFC Security: Risks and How to Protect Yourself
5 min read
How NFC Works
While the in-depth technical explanation of the creation of an NFC signal is highly complicated, on a basic layer, every NFC enabled device has an antenna that’s used to communicate with some endpoint.
The initiator device uses the antenna to create a radio field signal to some receiver. As long as the receiver is an NFC enabled device, they’ll be able to communicate over a few different modes:
- Peer-to-Peer Mode: Both devices communicate directly through NFC signals. Used to share data or pair devices.
- Reader/Writer Mode: One device either reads or writes data to the other NFC device’s tag. Sometimes used to acquire data from cards, posters or labels.
- Card emulation mode: An NFC-enabled device (usually, a smartphone in this case) emulates a smart card. Used for NFC transactions such as contactless payments and access control.
There’s dozens of NFC-enabled devices out there. Almost every smartphone and tablet has NFC capabilities, but these devices aren’t the only ones. Every device that has contactless payments, remote ticket and access features, and many more.
While Near-Field Communication provides immense quality of life and speed for various aspects of life, NFC security is also a huge topic. NFC technology can be greatly beneficial, but carries some risk as well.
Benefits of NFC Tech
NFC tech is widely used across industries, ranging from retail to IT. Most of us have run into NFC technology indirectly – it’s used whenever you make a contactless payment. Additionally, it’s also used in some access key cards (or if they’re replaced with an app for a smartphone).
Many of the benefits of NFC technology comes from the convenience and speed it provides. Instead of having to fiddle with PIN codes or credit cards, people can simply tap their NFC device and be done with the transaction. An identical process can happen in many areas, ranging from access gates to various information systems.
NFC technology is also not completely unsecured. There’s plenty of security features that can be implemented by developers such as encryption. But even without such implementations, there’s security measures implemented by default.
Every NFC device comes with some basic encryption and security measures that prevent collision between several communication lines at once. All of these security measures come from various ISO/IEC standards.
Additionally, every device’s NFC chip has to have a Secure Element included. It’s a small hardware component within the NFC chip that allows for small data storage, mainly for cryptography keys and operations.
While NFC capabilities and security measures have a lot of potential, that doesn’t mean it’s entirely risk-free. NFC security is a major topic within the cybersecurity industry as the technology can be easily abused.
NFC Security Risks
NFC technology, for all its benefits and incredible convenience, there’s plenty of ways for various malicious people to abuse the same features. Unfortunately, in some cases even the best uses of the Secure Element and various other measures can protect from some of these attacks.
Data Tampering
One of the more general attacks that can happen on some NFC enabled devices is data tampering. If information isn’t properly encrypted and protected, it can be intercepted and modified.
A common reason is to make or modify payments being made. Since most people expect the payment to be of the same value as they intended, it may be harder to notice, at least initially.
Eavesdropping
An attack that’s similar to tampering, however, it’s only intended to steal information. One of the more unique aspects of eavesdropping is that it may be done by a third device that’s placed close to the two communication points.
Skimming
One of the most concerning attacks for anyone with an NFC device, especially if it can make payments. An attacker will have an NFC reader and move around crowds or close to people who may be holding an NFC device.
The reader will be used to capture information from the device, primarily credit card or debit card information. It can then be used to create counterfeit cards or create unauthorized transactions.
Relay Attacks
A more complicated type of attack that intends to increase the range of NFC. A regular transaction or interaction happens but a third device is placed close to the two primary devices. The receiver then transmits information to the attacker’s NFC chip, which allows them to collect sensitive data without any suspicion.
Replay Attacks
An attack that happens with devices that have legitimate communication and use. The interaction, however, is saved and stored somewhere. Whenever the same device is close once again, the same signal is transmitted to make unauthorized purchases or perform other actions.
NFC Key Stealing
One of the more sophisticated attacks with many different applications. First, an NFC device’s cryptographic keys are captured, which are then used to decrypt data, impersonate legitimate devices, and gain unauthorized access or make payments.
Best Practices for NFC Security
Some of the NFC security best practices will slightly reduce the convenience factor of the technology, but these trade-offs are common. Usually, as convenience increases, security and safety decreases.
For individuals, it’s best to use multi-factor authentication at every touch point possible, including NFC transactions. While you have to take an extra step to make a payment, you’ll greatly reduce the likelihood of skimming or other attacks.
Additionally, there’s various RFID and NFC protected wallets or other packaging wherein you can carry your device. You’ll have to take it out each time you want to use the technology, but it will be impossible to make attacks while it’s protected.
For organizations, NFC security relies on a lot of training and awareness. Employees should go through regular training and courses to ensure they understand the risks associated with the technology.
Auditing NFC devices is also a good idea, especially if it’s used for access control. Employees can lose phones, cards, and other equipment even if the organization is small. But each such loss poses a huge risk to the company, therefore making sure all equipment is accounted for is vital.
Related articles
4 min read
Best Residential VPN Providers in 2024
A Virtual Private Network (VPN) encrypts your traffic and hides your IP address. The way these functions are accomplished affects various aspects of your online privacy and security. Here, we'll consider using residential IP addresses instead of those originating from a data center. A residential VPN has advantages compared to traditional ones, but there are some caveats. It all boils down to residential VPN providers. The worst ones may even create more risks than benefits. We'll end this article with a list of the best residential VPN providers on the market.
3 min read
Ethernet vs Wi-Fi: Which One is Better?
Ethernet and Wi-Fi are the two main ways to connect your computer to the internet. While Wi-Fi has received significantly more attention in recent years, especially among consumers, due to its simplicity and flexibility, ethernet is still widely used in various other applications. Even if Wi-Fi is significantly more popular, it isn’t strictly better. Both methods have their benefits and drawbacks. Wi-Fi’s popularity comes from its ease-of-use and flexibility, but an ethernet connection can be much more useful in certain scenarios.
4 min read
How to Change Chrome Proxy Settings: The Ultimate Guide
A proxy server is an easy alternative to a VPN that can perform most of the functions of the latter. It’s a server that stands between your device and the destination server, taking your connection requests and forwarding them in your name. Destination servers in almost all cases see the proxy server as the originator of the request. As such, proxies are widely used in various, mostly business-related applications whenever privacy, security, location changing, and several other factors are at play.