Near field communication technology has many uses, including enabling access to secured locations and tracking users -- sometimes without their knowledge or consent. This is an increasing cause of concern and risk.
In consumer devices, NFC usage has grown in recent years. Google added support with its Android KitKat release, and Apple has been supporting NFC since at least its iOS 11 update. Among the initial use cases on consumer devices for NFC are tap-to-pay capabilities, such as Apple Pay and Google Pay. On merchant point-of-sale terminals, NFC has been supported to enable tap-to-pay -- also sometimes referred to as contactless payment -- from both smartphones and NFC-enabled credit cards.
For enterprise users, NFC is used in smart cards for access control to office buildings and secured doors. NFC is also used for identity authentication and is commonly embedded in government-issued passports.
NFC technology is increasingly used to enable tracking smart tags, such as Apple AirTags, Samsung Galaxy SmartTags and Tile tags. These can be used to track the location of devices and users.
Potential NFC risks for enterprises
NFC provides both consumers and enterprises with easy-to-use technology that requires little, if any, manual intervention. However, there are several potential security risks.
The potential privacy risks of NFC technology have generated headlines about attackers using the technology -- in particular, Apple AirTags -- to track users without their knowledge.
By design, smart NFC tags enable devices to be tracked. For example, if a person places a tag in a wallet or purse, that item's location can be determined. It is possible for an NFC tag to be placed on an individual's person or property without their knowledge, which is a privacy risk.
2. Payment processing fraud
A risk with NFC-enabled payment methods is the potential for misuse and fraud.
As opposed to a traditional credit card payment -- which involves a user signature that is matched to the name on the card, or an EMV chip and PIN payment -- NFC payments do not have that type of extra step for validation. There is no way to verify that the person using the NFC-enabled smart card is the owner of the card.
3. Data corruption and tampering
NFC helps enable short-range data exchange. But without the right encryption and security controls in place, it's possible to corrupt that data.
Data corruption potentially can happen with an unauthorized card reader device that tampers with the data exchange in some way -- for example, to authorize a payment for a higher amount than what is shown on a user's screen when using a contactless payment method.
4. Eavesdropping and interception
By design, NFC is a short-range technology. This means that the two parties in a data exchange need to be in immediate physical proximity to one another.
It is possible that even within the short range, there could be some form of man-in-the-middle attack. This is where an unauthorized person can eavesdrop and intercept an NFC exchange. This type of attack is also sometimes referred to as RFID skimming, as it can apply to both longer-range RFID as well as NFC-based data exchanges.
5. Replay attacks
Another risk that NFC-based payments can be exposed to is that of session replay attacks.
In a session replay attack, the information used to execute one transaction in a session is then "replayed" a second time to defraud a user with a second transaction. Session replay attacks are not unique to NFC, but can still have negative consequences.
6. Mobile malware downloads
NFC can also be used to enable device-to-device data transfers.
It is possible for a malicious individual or device to attempt to transfer some form of malware that could be a risk for a consumer or enterprise device.
Mitigating NFC security risks
While there are some enterprise and consumer risks to NFC-based technology, there are also ways to limit risks. Many vendors have recognized the benefits of NFC technology for users and are increasingly responsive at providing answers to potential security challenges.
Update firmware and software
Not all NFC risks on every possible device or application have been patched, but many are. As issues arise and are disclosed, vendors develop and release update firmware for devices. They also update software applications that patch publicly disclosed security risks in specific NFC implementations, applications and hardware.
Improve privacy and reduce unwanted tracking
Making users aware of the potential privacy violation that an NFC smart tag can enable is another way to mitigate risk.
For example, Apple is providing its AirTag users with alerts as part of a new software update. It warns users that the NFC smart tags are only meant to track a user's own belongings. The update also warns users that in many jurisdictions around the world, it is a crime to track individuals without their consent. Going a step further, Apple is introducing additional updates to help identify unwanted tracking with a precision finding feature. This will help determine if an unknown and unwanted AirTag is tracking a user.
Ensure encryption is properly configured
For enterprise users looking to mitigate the risk of man-in-the-middle and replay attacks, a good best practice is to ensure that encryption is properly configured.
Encryption is critical for data in motion with Transport Layer Security (TLS), which provides protection as data moves from one point to another. The use of anti-replay protocol to limit the risk of replay and data tampering attacks is essential to help limit risk.
Don't tap untrusted terminals
For NFC-based payment cards and card reader devices, don't tap untrusted devices.
If a terminal looks like it has been tampered with in some way -- or just doesn't look quite right -- look for an alternate method of payment or access if possible. This advice is akin to not opening untrusted email attachments.
Don't allow automatic NFC downloads
Most modern devices do not allow automatic data transfer by default. Instead, they often provide a dialog box that prompts the user to click a button to allow a download. To mitigate the risk of unwanted NFC data transfers, users should ensure their devices do not enable downloads without user intervention and consent.
Use NFC- and RFID-blocking materials
There are several different materials that can block NFC and RFID signals. NFC-blocking wallets integrate a form of special material that can block a signal.
There are also specific NFC-blocking cards. These are plastic cards in the same shape and dimensions as a standard payment card that block NFC and RFID signals from being transmitted. Using the NFC blocker in a wallet or purse near NFC-enabled cards or trackers can mitigate potential unwanted tracking or fraud risks.