Near Field Communication (NFC) is shaping the future of mobility and is becoming the system of choice for mobile payments. NFC is a technology that has been around already for years, but has gained much attention after Apple announced that the new IPhone 6 line was fitted with the technology for credit card-less payments.

Credit card security is always a concern for consumers, and through the years many systems have been implemented to protect buyers and their finances, from the use of pins to dual authentication when using credit cards online to embedded chips, a technology that is now being phased in also for consumers’ credit cards in the United States.

NFC, with its high security standards as well as convenience, seems to be the answer to the credit card security concerns. The article explores this technology, as far as its use in mobile payments and the concerns with it associated.

Ethical Hacking Training – Resources (InfoSec)

NFC Explained

As the acronym of NFC implies, Near Field Communication provides information exchange between systems in close proximity, usually no more than a few centimeters (typically 0-5 cm). NFC is an open-platform technology used behind many new mobile payment types. It uses a low-power communications protocol between two devices, and it allows consumers to pay for things using their smartphone.

NFC is a form of wireless communication using radio frequencies; it operates at a frequency of 13.56 MHz and transfers data at up to 424 Kbits/second. The bi-directional communication protocol allows NFC-compatible devices to communicate.

Near Field Communications can be considered an advanced version or extension of RFID (Radio-frequency identification); this wireless means of communication is widely used to track items thanks to smart bar codes; in fact, NFC was developed out of the HF RFID readers and tags. Phones with embedded NFC use a wireless non-contact system based on RFID and can transfer data to and from another device remotely (but in close proximity) – for example, a retailer’s POS terminal.

NFC-equipped phones allow consumers to “tap and pay” for purchases. Data are carried on an RF signal that lets consumers perform safe contactless transactions. Buyers pay for goods by simply loading an app on a smartphone and adding credit cards of participating financial institutions. At checkout, payment info can be sent and verified by getting the device close to the POS for “contactless” payments – i.e., without direct physical touch. Of course, in order for Near Field Communication to work, both devices must be equipped with an NFC chip.

A device with an NFC smartcard chipset can very easily be configured to work as a credit or debit card. A NFC-enabled phone, however, can also be used in other ways in conjunction with pre-programmed smart tags; for example, it can read tags programmed to automate tasks or retrieve information. NFC technology can be used to verify memberships at gyms or clubs or even to replace keys. The technology also allows the easy pairing of electronic devices. Some users believe NFC is similar to Bluetooth technology; in reality, NFC requires less power consumption (a must when using cell phones to maximize battery life) and allows pairing of two devices in a much simpler way. In fact, it takes over many of the steps required for the users to perform when connecting devices via Bluetooth.

NFC payments are not the first attempt at making payments easier for consumers. Google Wallet for over three years has allowed consumers to store all their credit cards, debit cards and gift cards data in one easy-to-use virtual wallet and, more recently, even allowed them to pay using Gmail addresses. Google Wallet now is also using NFC technology to provide tap-and-pay options for its users.

How secure these systems really are? Looking back, this type of payment technology has already been prone to attacks. Databases storing financial information of users have already been violated; hacks and vulnerabilities have exposed the personal identification number (PIN) of users’ accounts. Although immediate action was taken by Google to correct their “mobile wallet” problem, it proves there was (and may still be) a security issue.

NFC Security Areas of Concern

With media exposing major security breaches and the compromising of sensitive data due to the activity of hackers, there are growing concerns about the security and safety of private stored information when carrying out NFC-based mobile transactions.

With more and more retailers updating their point-of-sale (POS) equipment with NFC-based contactless technology, some consumers are beginning to question the safety of these transactions and of the data storage of their financial information. There is uncertainty on what is actually being done to protect the data from security breaches that can easily occur.

The fear with NFC is that a hacker could steal credit card information in a simple way utilizing a variety of methods and not-so-sophisticated equipment. For example, other than using a malicious code on the device used by the payer, a remote attacker could intercept the signal during a contactless transaction using a spoofing method through a simple radio receiver. It would require close proximity, but it would indeed be possible. As well, a hacker could casually tap on someone’s device and collect information by using a receiving NFC device.

The possibility of a data interception cannot be discounted, but NFC technology is so advanced that it makes attempts hard to carry on. In addition, technology improvements are adding layers of security that effectively protect users.

Apple, for example, has devised a way to use account numbers linked to a user financial information rather than store credit card data on the phone itself. That plus the use of fingerprints for authentication gives an extra layer of security, as hackers would only be able to collect useless data by intercepting the transmission. Data would be meaningless, unless cybercriminals were able to hack the Apple account of the user and retrieve all associated financial information. The use of fingerprints also eliminates the need to use and transmit pins and passcodes.

Companies creating secure digital wallets like MasterCard’s PayPass and Visa’s payWave that allow customers to make contactless payments at an NFC-enabled terminal are striving to come up with similar plans to reassure consumers when using their apps and app-and-reader counterparts. Other credit card companies are also embracing the new digital money technologies. That makes one believe that mobile payments may well replace the use of cash.

More protection could be afforded by the use of a new solution: the migration to EMV that not only can secure payment cards but also be apt for NFC mobile contactless payments in point-of-sale environments. EMV stands for Europay, MasterCard and Visa and is an attempt of these major credit card companies to implement a standard based on the use of chip card technology. The technology is currently being rolled out in the US, but is already widely available in Western Europe, Eastern Asia and even Australia; it is also used for widely known SBU point of sale applications (QuickBooks POS, ShopKeep and AccuPOS) that have already been optimized and support NFC technology.

By implementing EMV chip technology, overseen by EMVCo, as a means of transaction authentication that can safely authorize transactions and encrypt card data at inception, payments (both contactless through NFC and with a traditional chip-fitted card) can happen in a secure infrastructure that reduces, if not prevents, fraud; this might enable the next generation of payments innovation to flourish.

Cards that use EMV can secure and perform cryptographic processing during a payment transaction to prevent fraudulent connections able to steal account data. An embedded microprocessor chip encrypts transaction data in a different way anytime it is used. Transactions are completed only after a personal identification number is provided by the user. The system has proved to be highly effective and although data are still not conclusive, a 2011 report published by the Cards Association along with Financial Fraud Action UK 2011 noted the positive effect that EMV-embedded chips had in the UK. The report stated that counterfeit fraud losses in the U.K. were found to have dropped by more than 63 percent since 2004; the drop was linked to the growing use of credit card chips.

The overall NFC security system is less likely to be vulnerable if a tag carries security functionality built into the chip. Since software has certain security risks, to move the secure element into hardware may be what is necessary for mobile payment systems to be secure.

In light of all the security advances, are some users still right in distrusting contactless payments? There is always the possibility of data being compromised when wirelessly transmitted. That said, credit card payments through NFC technology promise to be safer than regular credit card swiping. Physical theft of the card, as well as credit card number theft through card reader strips in terminals, are no longer a possibility. In addition, newest NFC technology prevents merchants from storing credit card numbers, as each transaction generates a unique number for each payment.

The human factor is also very important. Users need to ensure they act as the first line of defense in securing their financial information. Basic but effective measures like protecting their phone with pins, updating apps as needed and being aware of their surroundings when making payments are still important steps to take.

“With banks routinely issuing contactless payment cards to customers, there is a need to raise awareness of the potential security threats,” Eleanor Gendle, managing editor of The Journal of Engineering, suggests. Awareness and users’ education are paramount.

Conclusion

NFC opens up a completely new world of possibilities, especially when it comes to enabling contactless payments that are to replace the old-fashioned swipe-and-sign system. Even if proximity mobile payment is easy and convenient and brings a unique customer experience, implementation has some concerned about the security of each transaction. Many question if every transaction is truly swift, smooth and secure as sensitive payment data are transmitted forward for processing.

In order to become a mainstream payment method, contactless payments through NFC need to ensure maximum possible peace of mind to patrons with data well secured. Therefore, the need for the new generation of NFC tag chips to feature a range of built-in security features that can validate the card’s integrity and the cardholder’s verification with a unique identifier (UID) can help secure transactions from any attempts of capturing payments data by malicious hackers. This, of course, in addition to creating secure communication channels, established having all information sent encrypted – thus, leaving only an authorized device to decode it.

Furthermore, the secure element connected to the NFC chip for secure data exchange must also protect personal data that reside in memory, enabling a card emulation application to store sensitive data in a trusted environment. In addition, new users of near field communication ought to also be diligent about keeping tight security on their phones in order to prevent breaches from occurring. Unless precautions are taken, an unauthorized person can gain access to stored credit card information even before being sent to a merchant’s card reader.

Many question if contactless payments will replace cash in the future. Time will tell, but for now, many people remain wary of the new payment technologies and have yet to adopt the new approach. They find the idea of paying for things by mobile phone vulnerable to the risk of fraud. Therefore, the number of shoppers planning to use contactless payment more in the future is uncertain. Who knows, one day, we might all be paying for things with our smartphones, as NFC may really be the future for mobile payments.

References

Brecht, D. (2012, February 14). The Google Wallet Hacked Phone Proves NFC Flaws. Retrieved from http://www.tmcnet.com/topics/articles/2012/02/14/266274-google-wallet-hacked-phone-proves-nfc-flaws.htm

Eldridge, A. (2014, November 18). Is NFC the Future of Safe Credit Card Processing. Retrieved from http://www.business2community.com/tech-gadgets/nfc-future-safe-credit-card-processing-01068637

Herron, J. (2012, April 9). US warms up to EMV credit cards. Retrieved from http://www.bankrate.com/finance/credit-cards/emv-credit-cards-1.aspx

Marks, G. (2014, September 8). Tomorrow, Apple Will Officially Kill The Credit Card.

Retrieved from

http://www.forbes.com/sites/quickerbettertech/2014/09/08/tomorrow-apple-will-officially-kill-the-credit-card/

NFC. (n.d.). Security Concerns with NFC Technology. Retrieved from http://www.nearfieldcommunication.org/nfc-security.html

Shead, S. (2014, November 7). Research highlights security issues with NFC payments. Retrieved from http://www.techworld.com/news/security/research-highlights-security-issues-with-nfc-payments-3481174/

Smart Card Alliance. (2012, October). EMV and NFC: Complementary Technologies that Deliver Secure Payments and Value-Added Functionality. Retrieved from http://www.smartcardalliance.org/publications-emv-and-nfc-complementary-technologies-that-deliver-secure-payments-and-value-added-functionality/