New techniques are labeled as “the next big thing” almost every other month, and one thing that mobile technology can never be accused of is being stagnant. Mobile payments have been on the horizon for quite some time now. A relatively new technology, called Near Field Communications (NFC), is also turning heads and is said to be a significant facilitator in bringing mobile payments to everyday usage. Simply put, NFC technology enables a person to use his/her mobile phone like a credit card and make payments simply by waving the device near an NFC-reading device.
Instead of having to stand in line at the cash counter, customers will be able to electronically check-out their items at the supermarket by waving their smartphones at the reader, which is just one of the many ways this technology is being planned to be used. Everyone – whether it is Google, VISA or PayPal – is putting in serious consideration into this technology. Moreover, NFC is also rumoured to be a feature in the upcoming iPhone 5.
Taking a step back from the hype
Just as with any technology that has not yet fully matured, security concerns about NFC payments are rampant among the more cautions-minded techies. While having a mobile wallet is amazingly convenient, most people aren’t too keep on having their money “broadcasted” through the air, where it can be intercepted and stolen. The amount of research going into identifying possible issues in the technology, and backing by the technology giants indicate that it is only a matter of time before usage of NFC payments become common among the masses, which unfortunately also means more exposure to cyber criminals.
Jailbreaking your own wallet?
One of the key elements of NFC security involves the security of the mobile platform on which this technology will be running. Any exploit that lets an attacker gain root access can potentially expose the contents of the (mobile) wallet stored on the device. The jailbreaking of smartphones is common practice among consumers. Mainly because it allows them to install software and tailor the device’s functionality in a way that may not have been intended by the manufacturer. However, if the same device is also being used for financial transactions, this opens up a dangerous backdoor which attackers can very well exploit. Ensuring the integrity of your device hence becomes a key concern when using NFC. Similarly, with the number of malicious applications that abound, especially in the Android Marketplace (now Google Play), it will become critical for consumers to protect themselves by installing mobile anti-malware and avoid third-party applications that have not properly been verified by the marketplace.
It seems that the limited range of NFC would make it difficult to conduct man-in-the-middle attacks, which basically allow attackers to take over an existing session between two devices. However, security researchers like McAfee have already highlighted attacks possible on NFC, such as “Ghost and Leech”, which utilizes a fake RFID card to virtually pick the wallets of victims by stealing their credentials and transmitting them to a fake card. The risk of unauthorized readers capable of reading NFC signals is also present with such devices, and these readers are easily available on the web.
Of course it’s not all doom and gloom, as there are mechanisms that can protect us against these types of attacks. What’s missing is the coordination between the different industry players like smartphone makers, telecoms and NFC device developers, who need to sit down and develop a proper industry standard for securing NFC. Controls like digital signatures have the potential of being ported over to NFC to verify the identity of both the device and the NFC chip. Just like a firewall sees all the traffic coming into a network as un-trusted.
Every revolutionary new technology, such as ATMs, cloud computing, e-commerce and even the internet had to go through a phase of paranoia before it became accepted – and NFC is no exception. Until consumers are assured of the safety of their mobile payments, NFC will not become the success story it has the potential to be. This is only possible when all parties come together – with consumers protecting their devices with passwords and anti-malware software, and device providers implementing encryption and authentication services to ensure end-to-end security for all NFC-based transactions.