Browse Definitions :

Getty Images/iStockphoto

6 potential enterprise security risks with NFC technology

Some NFC risks include payment processing fraud, eavesdropping and replay attacks.

Near field communication technology has many uses, including enabling access to secured locations and tracking users -- sometimes without their knowledge or consent. This is an increasing cause of concern and risk.

NFC is used for close-proximity data exchange. It can be complemented with RFID capabilities to extend the range of an NFC tag.

In consumer devices, NFC usage has grown in recent years. Google added support with its Android KitKat release, and Apple has been supporting NFC since at least its iOS 11 update. Among the initial use cases on consumer devices for NFC are tap-to-pay capabilities, such as Apple Pay and Google Pay. On merchant point-of-sale terminals, NFC has been supported to enable tap-to-pay -- also sometimes referred to as contactless payment -- from both smartphones and NFC-enabled credit cards.

For enterprise users, NFC is used in smart cards for access control to office buildings and secured doors. NFC is also used for identity authentication and is commonly embedded in government-issued passports.

NFC technology is increasingly used to enable tracking smart tags, such as Apple AirTags, Samsung Galaxy SmartTags and Tile tags. These can be used to track the location of devices and users.

Potential NFC risks for enterprises

NFC provides both consumers and enterprises with easy-to-use technology that requires little, if any, manual intervention. However, there are several potential security risks.

1. Privacy

The potential privacy risks of NFC technology have generated headlines about attackers using the technology -- in particular, Apple AirTags -- to track users without their knowledge.

By design, smart NFC tags enable devices to be tracked. For example, if a person places a tag in a wallet or purse, that item's location can be determined. It is possible for an NFC tag to be placed on an individual's person or property without their knowledge, which is a privacy risk.

2. Payment processing fraud

A risk with NFC-enabled payment methods is the potential for misuse and fraud.

As opposed to a traditional credit card payment -- which involves a user signature that is matched to the name on the card, or an EMV chip and PIN payment -- NFC payments do not have that type of extra step for validation. There is no way to verify that the person using the NFC-enabled smart card is the owner of the card.

3. Data corruption and tampering

NFC helps enable short-range data exchange. But without the right encryption and security controls in place, it's possible to corrupt that data.

Data corruption potentially can happen with an unauthorized card reader device that tampers with the data exchange in some way -- for example, to authorize a payment for a higher amount than what is shown on a user's screen when using a contactless payment method.

4. Eavesdropping and interception

By design, NFC is a short-range technology. This means that the two parties in a data exchange need to be in immediate physical proximity to one another.

It is possible that even within the short range, there could be some form of man-in-the-middle attack. This is where an unauthorized person can eavesdrop and intercept an NFC exchange. This type of attack is also sometimes referred to as RFID skimming, as it can apply to both longer-range RFID as well as NFC-based data exchanges.

5. Replay attacks

Another risk that NFC-based payments can be exposed to is that of session replay attacks.

In a session replay attack, the information used to execute one transaction in a session is then "replayed" a second time to defraud a user with a second transaction. Session replay attacks are not unique to NFC, but can still have negative consequences.

6. Mobile malware downloads

NFC can also be used to enable device-to-device data transfers.

It is possible for a malicious individual or device to attempt to transfer some form of malware that could be a risk for a consumer or enterprise device.

Mitigating NFC security risks

While there are some enterprise and consumer risks to NFC-based technology, there are also ways to limit risks. Many vendors have recognized the benefits of NFC technology for users and are increasingly responsive at providing answers to potential security challenges.

Update firmware and software

Not all NFC risks on every possible device or application have been patched, but many are. As issues arise and are disclosed, vendors develop and release update firmware for devices. They also update software applications that patch publicly disclosed security risks in specific NFC implementations, applications and hardware.

Improve privacy and reduce unwanted tracking

Making users aware of the potential privacy violation that an NFC smart tag can enable is another way to mitigate risk.

For example, Apple is providing its AirTag users with alerts as part of a new software update. It warns users that the NFC smart tags are only meant to track a user's own belongings. The update also warns users that in many jurisdictions around the world, it is a crime to track individuals without their consent. Going a step further, Apple is introducing additional updates to help identify unwanted tracking with a precision finding feature. This will help determine if an unknown and unwanted AirTag is tracking a user.

Ensure encryption is properly configured

For enterprise users looking to mitigate the risk of man-in-the-middle and replay attacks, a good best practice is to ensure that encryption is properly configured.

Encryption is critical for data in motion with Transport Layer Security (TLS), which provides protection as data moves from one point to another. The use of anti-replay protocol to limit the risk of replay and data tampering attacks is essential to help limit risk.

Don't tap untrusted terminals

For NFC-based payment cards and card reader devices, don't tap untrusted devices.

If a terminal looks like it has been tampered with in some way -- or just doesn't look quite right -- look for an alternate method of payment or access if possible. This advice is akin to not opening untrusted email attachments.

Don't allow automatic NFC downloads

Most modern devices do not allow automatic data transfer by default. Instead, they often provide a dialog box that prompts the user to click a button to allow a download. To mitigate the risk of unwanted NFC data transfers, users should ensure their devices do not enable downloads without user intervention and consent.

Use NFC- and RFID-blocking materials

There are several different materials that can block NFC and RFID signals. NFC-blocking wallets integrate a form of special material that can block a signal.

There are also specific NFC-blocking cards. These are plastic cards in the same shape and dimensions as a standard payment card that block NFC and RFID signals from being transmitted. Using the NFC blocker in a wallet or purse near NFC-enabled cards or trackers can mitigate potential unwanted tracking or fraud risks.

Dig Deeper on Security

  • network management system

    A network management system, or NMS, is an application or set of applications that lets network engineers manage a network's ...

  • host (in computing)

    A host is a computer or other device that communicates with other hosts on a network.

  • Network as a Service (NaaS)

    Network as a service, or NaaS, is a business model for delivering enterprise WAN services virtually on a subscription basis.

  • WebAuthn API

    The Web Authentication API (WebAuthn API) is a credential management application program interface (API) that lets web ...

  • Common Vulnerability Scoring System (CVSS)

    The Common Vulnerability Scoring System (CVSS) is a public framework for rating the severity of security vulnerabilities in ...

  • Dridex malware

    Dridex is a form of malware that targets victims' banking information, with the main goal of stealing online account credentials ...

  • audit program (audit plan)

    An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate ...

  • blockchain decentralization

    Decentralization is the distribution of functions, control and information instead of being centralized in a single entity.

  • outsourcing

    Outsourcing is a business practice in which a company hires a third party to perform tasks, handle operations or provide services...

  • team collaboration

    Team collaboration is a communication and project management approach that emphasizes teamwork, innovative thinking and equal ...

  • employee self-service (ESS)

    Employee self-service (ESS) is a widely used human resources technology that enables employees to perform many job-related ...

  • learning experience platform (LXP)

    A learning experience platform (LXP) is an AI-driven peer learning experience platform delivered using software as a service (...

Customer Experience
  • market segmentation

    Market segmentation is a marketing strategy that uses well-defined criteria to divide a brand's total addressable market share ...

  • sales pipeline

    A sales pipeline is a visual representation of sales prospects and where they are in the purchasing process.

  • market basket analysis

    Market basket analysis is a data mining technique used by retailers to increase sales by better understanding customer purchasing...