Browse Definitions :

Getty Images/iStockphoto

6 potential enterprise security risks with NFC technology

Some NFC risks include payment processing fraud, eavesdropping and replay attacks.

Near field communication technology has many uses, including enabling access to secured locations and tracking users -- sometimes without their knowledge or consent. This is an increasing cause of concern and risk.

NFC is used for close-proximity data exchange. It can be complemented with RFID capabilities to extend the range of an NFC tag.

In consumer devices, NFC usage has grown in recent years. Google added support with its Android KitKat release, and Apple has been supporting NFC since at least its iOS 11 update. Among the initial use cases on consumer devices for NFC are tap-to-pay capabilities, such as Apple Pay and Google Pay. On merchant point-of-sale terminals, NFC has been supported to enable tap-to-pay -- also sometimes referred to as contactless payment -- from both smartphones and NFC-enabled credit cards.

For enterprise users, NFC is used in smart cards for access control to office buildings and secured doors. NFC is also used for identity authentication and is commonly embedded in government-issued passports.

NFC technology is increasingly used to enable tracking smart tags, such as Apple AirTags, Samsung Galaxy SmartTags and Tile tags. These can be used to track the location of devices and users.

Potential NFC risks for enterprises

NFC provides both consumers and enterprises with easy-to-use technology that requires little, if any, manual intervention. However, there are several potential security risks.

1. Privacy

The potential privacy risks of NFC technology have generated headlines about attackers using the technology -- in particular, Apple AirTags -- to track users without their knowledge.

By design, smart NFC tags enable devices to be tracked. For example, if a person places a tag in a wallet or purse, that item's location can be determined. It is possible for an NFC tag to be placed on an individual's person or property without their knowledge, which is a privacy risk.

2. Payment processing fraud

A risk with NFC-enabled payment methods is the potential for misuse and fraud.

As opposed to a traditional credit card payment -- which involves a user signature that is matched to the name on the card, or an EMV chip and PIN payment -- NFC payments do not have that type of extra step for validation. There is no way to verify that the person using the NFC-enabled smart card is the owner of the card.

3. Data corruption and tampering

NFC helps enable short-range data exchange. But without the right encryption and security controls in place, it's possible to corrupt that data.

Data corruption potentially can happen with an unauthorized card reader device that tampers with the data exchange in some way -- for example, to authorize a payment for a higher amount than what is shown on a user's screen when using a contactless payment method.

4. Eavesdropping and interception

By design, NFC is a short-range technology. This means that the two parties in a data exchange need to be in immediate physical proximity to one another.

It is possible that even within the short range, there could be some form of man-in-the-middle attack. This is where an unauthorized person can eavesdrop and intercept an NFC exchange. This type of attack is also sometimes referred to as RFID skimming, as it can apply to both longer-range RFID as well as NFC-based data exchanges.

5. Replay attacks

Another risk that NFC-based payments can be exposed to is that of session replay attacks.

In a session replay attack, the information used to execute one transaction in a session is then "replayed" a second time to defraud a user with a second transaction. Session replay attacks are not unique to NFC, but can still have negative consequences.

6. Mobile malware downloads

NFC can also be used to enable device-to-device data transfers.

It is possible for a malicious individual or device to attempt to transfer some form of malware that could be a risk for a consumer or enterprise device.

Mitigating NFC security risks

While there are some enterprise and consumer risks to NFC-based technology, there are also ways to limit risks. Many vendors have recognized the benefits of NFC technology for users and are increasingly responsive at providing answers to potential security challenges.

Update firmware and software

Not all NFC risks on every possible device or application have been patched, but many are. As issues arise and are disclosed, vendors develop and release update firmware for devices. They also update software applications that patch publicly disclosed security risks in specific NFC implementations, applications and hardware.

Improve privacy and reduce unwanted tracking

Making users aware of the potential privacy violation that an NFC smart tag can enable is another way to mitigate risk.

For example, Apple is providing its AirTag users with alerts as part of a new software update. It warns users that the NFC smart tags are only meant to track a user's own belongings. The update also warns users that in many jurisdictions around the world, it is a crime to track individuals without their consent. Going a step further, Apple is introducing additional updates to help identify unwanted tracking with a precision finding feature. This will help determine if an unknown and unwanted AirTag is tracking a user.

Ensure encryption is properly configured

For enterprise users looking to mitigate the risk of man-in-the-middle and replay attacks, a good best practice is to ensure that encryption is properly configured.

Encryption is critical for data in motion with Transport Layer Security (TLS), which provides protection as data moves from one point to another. The use of anti-replay protocol to limit the risk of replay and data tampering attacks is essential to help limit risk.

Don't tap untrusted terminals

For NFC-based payment cards and card reader devices, don't tap untrusted devices.

If a terminal looks like it has been tampered with in some way -- or just doesn't look quite right -- look for an alternate method of payment or access if possible. This advice is akin to not opening untrusted email attachments.

Don't allow automatic NFC downloads

Most modern devices do not allow automatic data transfer by default. Instead, they often provide a dialog box that prompts the user to click a button to allow a download. To mitigate the risk of unwanted NFC data transfers, users should ensure their devices do not enable downloads without user intervention and consent.

Use NFC- and RFID-blocking materials

There are several different materials that can block NFC and RFID signals. NFC-blocking wallets integrate a form of special material that can block a signal.

There are also specific NFC-blocking cards. These are plastic cards in the same shape and dimensions as a standard payment card that block NFC and RFID signals from being transmitted. Using the NFC blocker in a wallet or purse near NFC-enabled cards or trackers can mitigate potential unwanted tracking or fraud risks.

Dig Deeper on Security

  • microsegmentation

    Microsegmentation is a security technique that splits a network into definable zones and uses policies to dictate how data and ...

  • Wi-Fi 6E

    Wi-Fi 6E is one variant of the 802.11ax standard.

  • network packet

    A network packet is a basic unit of data that's grouped together and transferred over a computer network, typically a ...

  • MICR (magnetic ink character recognition)

    MICR (magnetic ink character recognition) is a technology invented in the 1950s that's used to verify the legitimacy or ...

  • What is cybersecurity?

    Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.

  • Android System WebView

    Android System WebView is a system component for the Android operating system (OS) that allows Android apps to display web ...

  • privacy compliance

    Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or ...

  • contingent workforce

    A contingent workforce is a labor pool whose members are hired by an organization on an on-demand basis.

  • product development (new product development -- NPD)

    Product development, also called new product management, is a series of steps that includes the conceptualization, design, ...

  • talent acquisition

    Talent acquisition is the strategic process employers use to analyze their long-term talent needs in the context of business ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

  • hybrid work model

    A hybrid work model is a workforce structure that includes employees who work remotely and those who work on site, in a company's...

  • Salesforce Trailhead

    Salesforce Trailhead is a series of online tutorials that coach beginner and intermediate developers who need to learn how to ...

  • Salesforce

    Salesforce, Inc. is a cloud computing and social enterprise software-as-a-service (SaaS) provider based in San Francisco.

  • data clean room

    A data clean room is a technology service that helps content platforms keep first person user data private when interacting with ...