Last updated: 20 March 2014
I’m occasionally asked: ‘Aren’t NFC payments vulnerable to hacking?” and “What if your NFC phone or card is stolen? Can’t someone just run off spending your money?” My answers are simple. Firstly, anything is vulnerable to hacking if it isn’t secured properly (even smart toilets); just make sure your NFC payment method is secured by a name you trust.
So, how secure is NFC? It is one of the most secure and convenient payment methods available today. Security and convenience is in the nature of NFC chips, especially if they are properly protected. They’re more secure than other payment solutions which may be vulnerable to hacking, and are clearly more secure than cash which will always be insecure and can be counterfeited.
NFC for Payments: Contactless credit cards and cell phones use NFC to transfer payment information. Data transferred through NFC is secured to a level far beyond magnetic stripe cards because it is heavily encrypted, and, while magnetic stripe cards use the same string of card data for every transaction, an EMV chip creates new data every time you make a transaction. That’s an important security feature because it renders a stolen card number useless without the chip itself doing the job of properly attaching the new, secret part of the data necessary for each additional transaction.
Hacking: There are some who confuse NFC with standard RFID or claim it’s not designed with secure transfers in mind. In short, they are mistaken. There are many reasons why the nature of NFC hardware actually ensures security. Firstly, NFC’s close range is a first line of defence against hackers. A potential hacker would have to be uncomfortably close to you just to be within communication range. In fact, most NFC chips only operate at such close range that you have to almost physically touch a smartphone to an NFC device in order to initiate the connection.
Secondly, another barrier to hackers is that NFC functionality on your cell phone or contactless card will only activate or become receptive to communication when you choose to enable it. For example, the chip lays dormant while your phone is in standby mode and will only activate when you initiate a payment with a designated NFC terminal.
NFC vs WiFi and Bluetooth: The much greater range of Bluetooth and WiFi is far more vulnerable to hack attack. WiFi, for example, is particularly vulnerable to exploitation, even with the most advanced products, which Jeremy Kirk pointed out this summer when assessing the security of Google Glass. Furthermore with these systems, if you fail to protect your device with secured passwords and strong authentication, you could be putting your identity and money at serious risk.
Stolen NFC phone or contactless card? Common NFC practice ensures that only one phone call to your MNO (Mobile Network Operator) can remotely lock all applications, such as apps for banking, retail payments and transport operators, to prevent unauthorized transactions. Your phone or card can be replaced quickly with all of the services restored.
To read more about the security of NFC, see my recent article published on GigaOm.