What is NFC?
NFC, or near field communication, is a system for devices to communicate over short distances. When you pay for a coffee by tapping your phone against a contactless card reader, signals travel via NFC to confirm the payment.
You probably use NFC technology on a regular basis in payment systems like Apple and Google Pay. Contactless cards have NFC capabilities and so do most mobile devices. In addition to contactless NFC payments, these systems can also be used in other authentication processes, like tapping an NFC-enabled train ticket on a barrier or unlocking a door with an electric fob.
Some security concerns arise from NFC’s use in smartphones, but to understand why these risks exist, we need to cover how NFC actually works.
How does NFC work?
NFC works by sending radio signals over distances of up to ten centimeters, though this varies by device. You might have noticed that you don’t always need to physically touch your phone to a card reader to complete the transaction. Sometimes just being within that small radio field is enough for the transaction to be completed.
If your smartphone has NFC set up on it — in the form of your Apple Pay or Google Wallet apps, for example — its internal antennas are alert for any NFC signals.
Even if you’re not using those apps actively, the antenna could still be functional, which is why your device may vibrate or even give you notifications when it is placed next to another NFC-enabled object, like a bank card or passport.
NFC technology has some obvious benefits, but it comes with some disadvantages too.
The main advantage of NFC is convenience. This convenience is most evident in its application in payment processes. Where once you might have counted out cash or typed a pin code into a machine, NFC lets you pay simply by moving your phone close to a payment terminal.
NFC technology can also be used as part of a device’s security system. Certain apps or even entire operating systems can be set up to require an NFC security key to open. That means that, even if someone were to gain remote access to a device, perhaps via a malware attack, they wouldn’t be able to open NFC-locked applications without a physical NFC key (usually a small piece of hardware that can be inserted into the device via a USB-C slot).
The reason NFC tech is being used in such a variety of places now, from protecting sensitive data to paying for groceries, is that it’s a simple and effective way to bridge gaps between physical devices, with minimal setup required from users.
NFC is not perfect, of course. For one thing, the tech is relatively expensive to implement from the provider’s side. Some companies might find the cost of supplying all employees with NFC keys prohibitively expensive, for example. Technology usually becomes cheaper as it is more widely adopted, but for now the high implementation costs remain a problem for some organizations.
From the user’s perspective, NFC technology can also be taken advantage of by bad actors. If your phone is stolen, it could be used to make contactless payments without your authorization, unless you have already set up a payment verification process (like a biometric scan). Most devices have limits on how much money can be spent via contactless payment, but the risk of any financial losses is still something to be aware of.
Despite the dangers of theft and misuse, NFC is still a relatively secure payment option, compared to other methods like chip-and-pin payments.
Is NFC secure to use?
While it’s not completely risk free — no payment method is — NFC is probably safer to use than classic physical cards, a fact that might seem counterintuitive. The problem with traditional chip-and-pin cards is that, if someone steals your card and does have access to your pin, they could potentially withdraw any funds you have in your account. The details on your card, including your name and banking numbers, could also be stolen to aid in identity theft.
If someone steals your NFC-enabled phone, on the other hand, they have far fewer options for causing you harm. The amount of money they can access with it is limited, and any unusual activity with the device’s payment apps could prompt your card’s security measures to kick in, blocking payments until the user authenticates themselves.
10 NFC security risks
NFC users should be aware of the risks below, though it’s worth remembering that these risks are not likely to impact most people. For the majority of NFC users, this technology is perfectly safe. While it’s not a very comforting thought, the fact is that hackers have many far more effective ways to target you than NFC attacks.
1. Data tampering
If a hacker were to gain access to an NFC device, like a payment terminal, they might be able to reprogram it to send or request data that it isn’t meant to. In cases where an NFC device and the network it uses are properly secured, however, the chances of a hacker managing to carry out a data tampering attack via NFC are very low.
A hacker within range of a near field (the small area within which the radio waves are traveling) could use an app on their own device to pick up data that was not meant for them. NFC eavesdropping is a form of man-in-the-middle attack and is theoretically possible, if unlikely.
Before you get too worried, remember how risky and difficult it would be for a hacker to get into the tiny range of a card reader without anyone noticing them. Even if they succeeded, the exposed data would probably be of little value to them and is likely to be encrypted.
3. Phone malware
A malware download could be triggered using NFC signals. In 2019, a vulnerability was found in some Android devices that could let someone using NFC to prompt an Android device to download an application. Normally, Android users are not meant to download apps from sources other than the Google Play Store, and attempts to do so generate warnings. Using this bug to prompt the download did not trigger any warnings, though the user was still required to confirm the download. Though the bug was patched, it demonstrated that NFC does have at least the potential to trigger a malware installation.
4. Relay attack
In a relay attack, a device is physically near the NFC transaction and picks up the transferred data, just like in an eavesdropping attack. This information is then sent directly to another device, where it can be used for malicious purposes. The name of this attack comes from the fact that the device used to grab the data initially doesn’t actually do anything with it, but instead relays it to another device.
Some NFC tags can be cloned, meaning that a new device is given the same NFC profile as the original. You may also see this process referred to as NFC spoofing. If a company uses NFC security keys to regulate access to devices or physical spaces, a bad actor could clone an employee’s NFC key and then use it to gain unauthorized entry to whatever that key was protecting. If someone has temporary access to a security key, they could clone it without raising the same level of suspicions that they would if they stole the original key.
6. Social engineering
Social engineering attacks involve bad actors manipulating people through social interactions to perform potentially risky actions. In the context of NFC, it could be possible to use social engineering tactics to convince someone to place a phone or other NFC-enabled device close enough to an NFC scanner that an unauthorized NFC interaction might occur. Again, however, attacks like this involve hackers putting themselves in risky, in-person situations, and this is a rare occurrence.
Skimming is probably one of the first threats that comes to mind if you think about NFC risks. In a skimming attack, someone with an NFC device gets physically close enough to your phone or contactless card to trigger a transaction. For example, a thief could walk past you in the street and initiate a payment from your mobile wallet via a handheld card reader. For this to work, the attacker would need to bring their device within a few centimeters of yours, probably requiring them to know exactly where your phone was on your person.
8. Stolen NFC keys
NFC technology is increasingly being used for identity verification. Relying on physical access to a device to authenticate someone’s identity is risky, however, because it means that a person who steals an NFC tag or security key could gain unauthorized access to places and systems protected by the stolen device.
9. Replay attack
A replay attack is very similar to a relay attack, except for one detail. Instead of using the relayed data right away, the hacker stores the information and attempts to replay the transaction later, with money being transferred to the hacker’s account instead of the original receiver’s.
10. Incorrect payment amounts
While this is more likely to occur by accident than through malicious intent, there is always a possibility that an incorrect payment amount is entered into a card reader. When using chip and pin, you are likely to see the payment amount on screen and notice if it is more than you expected. On the other hand, with NFC-enabled cards and payment apps, you could easily tap and pay without spotting the problem.
How to secure yourself from NFC risks
The first thing to remember about NFC tech and its attendant risks is that, for most people, the dangers are very minimal. Hackers have far more sophisticated methods for targeting victims — methods that don’t involve them hanging around checkouts or wandering through crowds with an NFC reader.
To maintain a high level of NFC security, the best thing you can do is keep your NFC-enabled devices close by and set up two-step verification for NFC keys and on credit and debit cards.
An NFC security key is of little use to a hacker if it only works in conjunction with a password or a biometric fingerprint scan. Likewise, a stolen NFC-enabled bank card won’t do a thief much good if they need access to a password-protected app on your phone to complete payments.
Overall, NFC is a safe and reliable payment method, provided you take a few simple precautions to secure your mobile wallets and NFC keys.