Top Four ways to protect yourself from NFC hackers.
NFC is an acronym for Near Field Communication. It’s a fancy way of describing radio frequency based communication over a very short distance. If you grew up in the 80s and ever got some of those really cheap CB walkie-talkies, you know a thing or two about RF over short distances.
With NFC, we’re talking about 20 centimeters. The idea being that by putting your phone so close to a reader, you’ll be able to buy movie tickets, pay for your subway fare, or redeem the latest groupon. In fact, one really cool thing is this technology has the capability to turn us all into master coupon gurus! Who says you are only going to redeem one coupon?
NFC works by taking advantage of induction. Induction is how the wireless charging stations work. They generate a magnetic field that creates a current in devices within that field. Like those fluorescent lights in that picture. They are stuck in the ground and are lit by the electromagnetic field generated by the power lines above them. In NFC, there are two players involved, the initiator and the target. Only one has to be powered for NFC to work, but they can both be powered. When only one is powered, it creates a field strong enough to power the other for the data exchange to take place.
Communication happens in two modes: passive and active. In passive, the initiator provides a carrier field and the target device answers. Basically, the target acts as a transponder and will generate a reply with power it gets from the field generated by the initiator. This is very similar to RFID. In fact, NFC is compatible with passive RFID infrastructures. In active mode, the two NFC chips communicate back and forth and exchange data. They can transmit and receive at the same time, so data exchange is very quick.
In effect, when any two NFC chips get close to each other they begin to transmit and receive data. With phones, the data transmitted can be just about anything. The data transmitted should be encrypted as it could contain your credit card number, your health records, the code to unlock the front door of your home, the code to disable your security system, the code to unlock your gun safe, the code to login to your bank account, or the code to start your car. With NFC, all of this information may soon be transmitted through thin air; albeit over very short distances.
One thing about NFC that I wonder is just how secure will it be? According to the Wikipedia article on NFC, it is already vulnerable to 5 potential attacks. Eavesdropping via a powerful antenna, data modification through interference, Relay Attack where your phone would act as a middle man and pass the transaction on to the next person in line, being lost by the user, and walk off which is a valid transaction that has not been completed but the customer walks off. I find it interesting that NFC isn’t even out yet and there’s already an tool to execute a relay attack.
If you had the relay attack app on your phone, all you need is to be close to someone else and you could just charge that person’s credit card instead of yours. They only have to be close enough.
If you think back to when RFID was introduced, the “experts” all told us how one had to be close to read the chips embedded in credit cards. RFID was secure, and consumers had nothing to worry about. Does anyone remember this?
Now, we get to watch guys like Chris Paget drive around San Francisco cloning the RFID in passports. You should watch this. No Seriously, watch it and listen to this guy; he is not lying. Remember, RFID was sold as secure to the general public.
Now, NFC is coming and the hype is going to be unbelievable. Commercials will run showing attractive people living a harmonious life because they can pay for lunch at a street side bistro with their phone. You’ll be told its secure because the waiter won’t carry your credit card around the corner where you can’t see it. That kind of thing has already started convincing you what a great thing this is.
What they don’t mention is the criminal across the street could be scanning your driver’s license and your credit cards, and then intercepting the NFC conversation and cloning all this information for a quick and dirty spending spree. A real thief (or worse) may pick up your RFID hotel room key. Get ready for home invasion, vacation style.
Why would the credit card companies want you to adopt this technology? Because they wouldn’t have to send you a card, that’s why. No manufacturing of the card, no physical security around that process, no mailing of the card and the costs and risks around that. None of it. Instead, they can just allocate you a number and use that inside an app. The financial savings will outweigh all the losses they experience due to theft.
Some of you may dismiss my concerns as fear mongering. However, as a technologist, I have witnessed too many technologies purported to be secure get hacked and broken. DVDs, Game Consoles, SSL, GSM – they have all had their secure encryption broken. Even Apple’s encryption has been broken.
Thus, I offer up a bit of advice for people who want to use NFC.
1. Open a pawn account
First, open another checking account that you can keep a finite amount of money in. Then, tie that account to NFC payments. You can transfer in your budgeted spend automatically. In this way, if the NFC system is compromised, your exposure is limited to this small account. Additionally, you can close this account easily without having to worry about your automatic bill pays.
2. Analog is an answer
Secondly, if something is valuable enough to you, maintain an analog mechanism when accessing it. For example, a physical key, a combination, or perhaps even a USB key with encryption tokens.
3. Use it for predictable payments
Thirdly, reserve NFC for predictable transactions. Like a toll road tag, you know the cost, you know when you use it, and you can easily spot transactions that are out of the ordinary. Probably the greatest thefts around NFC will show up as tiny transactions that occur repeatedly because a thief put a reader at a bus stop or in a doorway you go through. Criminals are less likely to get caught if they take $1.00 from 100 people rather than $100 from one person.
4. Weigh the risks
Lastly, reserve use of NFC for areas in your life where time is of the essence. Consider any risks associated with NFC with the convenience a speedy transaction may give you. A situation where your ability to complete a transaction in a timely matter is where NFC would be most valuable. A subway or a movie theater perhaps.
NFC is a promising technology, but my professional advice to anyone reading this is to keep your head on and be smart about how and where you adopt this technology. Taking small measures to protect your overall financial and privacy exposure may become more important than ever in the coming years.