Browse Definitions :

Getty Images/iStockphoto

6 potential enterprise security risks with NFC technology

Some NFC risks include payment processing fraud, eavesdropping and replay attacks.

Near field communication technology has many uses, including enabling access to secured locations and tracking users -- sometimes without their knowledge or consent. This is an increasing cause of concern and risk.

NFC is used for close-proximity data exchange. It can be complemented with RFID capabilities to extend the range of an NFC tag.

In consumer devices, NFC usage has grown in recent years. Google added support with its Android KitKat release, and Apple has been supporting NFC since at least its iOS 11 update. Among the initial use cases on consumer devices for NFC are tap-to-pay capabilities, such as Apple Pay and Google Pay. On merchant point-of-sale terminals, NFC has been supported to enable tap-to-pay -- also sometimes referred to as contactless payment -- from both smartphones and NFC-enabled credit cards.

For enterprise users, NFC is used in smart cards for access control to office buildings and secured doors. NFC is also used for identity authentication and is commonly embedded in government-issued passports.

NFC technology is increasingly used to enable tracking smart tags, such as Apple AirTags, Samsung Galaxy SmartTags and Tile tags. These can be used to track the location of devices and users.

Potential NFC risks for enterprises

NFC provides both consumers and enterprises with easy-to-use technology that requires little, if any, manual intervention. However, there are several potential security risks.

1. Privacy

The potential privacy risks of NFC technology have generated headlines about attackers using the technology -- in particular, Apple AirTags -- to track users without their knowledge.

By design, smart NFC tags enable devices to be tracked. For example, if a person places a tag in a wallet or purse, that item's location can be determined. It is possible for an NFC tag to be placed on an individual's person or property without their knowledge, which is a privacy risk.

2. Payment processing fraud

A risk with NFC-enabled payment methods is the potential for misuse and fraud.

As opposed to a traditional credit card payment -- which involves a user signature that is matched to the name on the card, or an EMV chip and PIN payment -- NFC payments do not have that type of extra step for validation. There is no way to verify that the person using the NFC-enabled smart card is the owner of the card.

3. Data corruption and tampering

NFC helps enable short-range data exchange. But without the right encryption and security controls in place, it's possible to corrupt that data.

Data corruption potentially can happen with an unauthorized card reader device that tampers with the data exchange in some way -- for example, to authorize a payment for a higher amount than what is shown on a user's screen when using a contactless payment method.

4. Eavesdropping and interception

By design, NFC is a short-range technology. This means that the two parties in a data exchange need to be in immediate physical proximity to one another.

It is possible that even within the short range, there could be some form of man-in-the-middle attack. This is where an unauthorized person can eavesdrop and intercept an NFC exchange. This type of attack is also sometimes referred to as RFID skimming, as it can apply to both longer-range RFID as well as NFC-based data exchanges.

5. Replay attacks

Another risk that NFC-based payments can be exposed to is that of session replay attacks.

In a session replay attack, the information used to execute one transaction in a session is then "replayed" a second time to defraud a user with a second transaction. Session replay attacks are not unique to NFC, but can still have negative consequences.

6. Mobile malware downloads

NFC can also be used to enable device-to-device data transfers.

It is possible for a malicious individual or device to attempt to transfer some form of malware that could be a risk for a consumer or enterprise device.

Mitigating NFC security risks

While there are some enterprise and consumer risks to NFC-based technology, there are also ways to limit risks. Many vendors have recognized the benefits of NFC technology for users and are increasingly responsive at providing answers to potential security challenges.

Update firmware and software

Not all NFC risks on every possible device or application have been patched, but many are. As issues arise and are disclosed, vendors develop and release update firmware for devices. They also update software applications that patch publicly disclosed security risks in specific NFC implementations, applications and hardware.

Improve privacy and reduce unwanted tracking

Making users aware of the potential privacy violation that an NFC smart tag can enable is another way to mitigate risk.

For example, Apple is providing its AirTag users with alerts as part of a new software update. It warns users that the NFC smart tags are only meant to track a user's own belongings. The update also warns users that in many jurisdictions around the world, it is a crime to track individuals without their consent. Going a step further, Apple is introducing additional updates to help identify unwanted tracking with a precision finding feature. This will help determine if an unknown and unwanted AirTag is tracking a user.

Ensure encryption is properly configured

For enterprise users looking to mitigate the risk of man-in-the-middle and replay attacks, a good best practice is to ensure that encryption is properly configured.

Encryption is critical for data in motion with Transport Layer Security (TLS), which provides protection as data moves from one point to another. The use of anti-replay protocol to limit the risk of replay and data tampering attacks is essential to help limit risk.

Don't tap untrusted terminals

For NFC-based payment cards and card reader devices, don't tap untrusted devices.

If a terminal looks like it has been tampered with in some way -- or just doesn't look quite right -- look for an alternate method of payment or access if possible. This advice is akin to not opening untrusted email attachments.

Don't allow automatic NFC downloads

Most modern devices do not allow automatic data transfer by default. Instead, they often provide a dialog box that prompts the user to click a button to allow a download. To mitigate the risk of unwanted NFC data transfers, users should ensure their devices do not enable downloads without user intervention and consent.

Use NFC- and RFID-blocking materials

There are several different materials that can block NFC and RFID signals. NFC-blocking wallets integrate a form of special material that can block a signal.

There are also specific NFC-blocking cards. These are plastic cards in the same shape and dimensions as a standard payment card that block NFC and RFID signals from being transmitted. Using the NFC blocker in a wallet or purse near NFC-enabled cards or trackers can mitigate potential unwanted tracking or fraud risks.

Dig Deeper on Security

Networking
  • firewall as a service (FWaaS)

    Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic analysis ...

  • private 5G

    Private 5G is a wireless network technology that delivers 5G cellular connectivity for private network use cases.

  • NFVi (network functions virtualization infrastructure)

    NFVi (network functions virtualization infrastructure) encompasses all of the networking hardware and software needed to support ...

Security
  • Advanced Encryption Standard (AES)

    The Advanced Encryption Standard (AES) is a symmetric block cipher chosen by the U.S. government to protect classified ...

  • operational risk

    Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business ...

  • risk reporting

    Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.

CIO
  • Risk Management Framework (RMF)

    The Risk Management Framework (RMF) is a template and guideline used by companies to identify, eliminate and minimize risks.

  • robotic process automation (RPA)

    Robotic process automation (RPA) is a technology that mimics the way humans interact with software to perform high-volume, ...

  • spatial computing

    Spatial computing broadly characterizes the processes and tools used to capture, process and interact with three-dimensional (3D)...

HRSoftware
  • OKRs (Objectives and Key Results)

    OKRs (Objectives and Key Results) encourage companies to set, communicate and monitor organizational goals and results in an ...

  • cognitive diversity

    Cognitive diversity is the inclusion of people who have different styles of problem-solving and can offer unique perspectives ...

  • reference checking software

    Reference checking software is programming that automates the process of contacting and questioning the references of job ...

Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

Close