Security Risks Surrounding Near Field Communication

By Stephen Recca, M.A.

CTU Security Studies - Near Field CommunicationAnother technology is making inroads into our professional lives, while experts begin to weigh its benefits against the security risks. Near Field Communication (NFC) is a subset of radio frequency identification (RFID), allowing data to be shared at very short ranges (about 20 centimeters) via tags installed in devices like smart phones. 

NFC has interesting applications across the board. For example, it can facilitate emergency management, where personnel can share status and updates by touching their NFC-enabled phones together – think fire bucket brigades. Neither the internet nor cellular services are needed. NFC-activated locks can be another way to secure buildings.

Creative marketers will invent new and interesting ways to share information through objects using an NFC tag. For example, as Mashable recently pointed out gravestone manufacturer RosettaStone developed a microchip that can be placed into monuments, memorials and landmarks. This NFC tablet for gravestones offers detailed information about the deceased when touched by an NFC-enabled phone. Perhaps the old adage remains true that “you can’t take it with you.” But, with this new technology, at least you can keep it nearby.

Today, though, NFC is most commonly used to facilitate contactless payment via smart phones. And, anytime financial information is involved, security and privacy issues take a front and center role.

As the Center for Democracy and Technology’s Harley Geiger noted, “…the security of NFC-enabled phones could be quite good, or at least no worse than a credit card. Since smartphones are miniature computers, strong cryptography and authentication protocol can be built into their systems –but it is up to device manufacturers and service providers to ensure these protections are in place for NFC transactions.”

Geiger’s observations about protocols apply to three areas of heightened security risk with NFC:

  1. Eavesdropping
    While the short read range of NFC offsets some of this risk, third parties can intercept the signals from a greater distance using antennas. That leaves personal information vulnerable. And, if those devices being intercepted are smartphones and credit card readers, unencrypted credit card information is vulnerable.
  2. Data Corruption
    Then there’s the risk of data manipulation or corruption. Say the signal is intercepted, then altered before being sent to the receiving party. Stealing information may not be the goal – disinformation may be, via this sort of “denial of service” attack.
  3. Viruses
    We don’t often hear of smartphone viruses, but they may become more common once phones provide an opening for financial gain for hackers. Since NFC technology allows people to store bank account and credit card information on their smartphones, the devices themselves increasingly likely will become targets.

Turning back the clock on the technology clearly is not the answer. So, what do we do about these emerging security and privacy concerns? The short answer is to address them holistically, but in ways that we truly can fix rather than delay or hide the problem. The good news is that much good work on technology security and privacy issues is already in the public domain.

The Center for Democracy and Technology’s report on Privacy Best Practices for the Deployment of RFID  describes the issues, challenges and some concrete practical steps toward security and privacy. For those looking for the Federal Government’s recommendations, the Federal Trade Commission’s 2012 Staff Report on Consumer Privacy provides a detailed – although arguably oversimplified – set of recommendations for companies.

Ever onward. New technology applications are part of daily life and language. The advantages to consumers, businesses, and government are clearly numerous. The caution, though, is to trust, but verify. Let’s squeeze every ounce of advantage we can from efficiency focused technology, while maintaining situational awareness regarding our security and privacy.

Image source: Flickr/Thomas Purves