Story

NFC, business opportunities, security and privacy issues

Excerpt from the article published on the last edition of PenTest AUDITING & STANDARDS 04 2012. 

The NFC technology

Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity. The standard describe a radio technology that allows two devices to communicate at a short distance, no more than a few centimeters, allowing the exchange of information quickly and safely.

From the user-end, NFC represents a true revolution, the possibility to provide in an unique devices a mobile wallet, a credit and debit cards, a tag for dynamic identification, an instrument to share information. For this reason NFC technology is really desirable for different business and marketing models.  The NFC solutions have the ambitious task to be the link across diverse fields from health care to telecommunication.

The NFC technology is widely used in many areas and the main applications that can benefit from its introduction are:

  • Payment via mobile devices such as smartphone and tablets.
  • Electronic Identity.
  • Electronic ticketing for use in transportation.
  • Integration of credit cards in mobile devices
  • Data transfer between any kind of devices such as digital cameras, mobile phones, media players.
  • P2P (peer to peer) connection between wireless devices for data transfer.
  • Loyalty and Couponing/Targeted Marketing/Location-Based Services
  • Device Pairing
  • Healthcare/Patient Monitoring
  • Gaming
  • Access Control/Security Patrols/Inventory Control (tags and readers)

NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443 related to Identification cards, contactless integrated circuit cards  and proximity cards.


From a technological perspective NFC is an extension also of the standards ECMA and ETSI, and describe the integration of a smart card with a terminal device.

All NFC devices allow writing and reading of information at a high speed (424Kbis / s) once two devices approaching less than few centimeters away, creating a wireless connection, which is also compatible with the already known Wi-Fi and Bluetooth. The short distances between terminals of communications make it more secure, making really difficult data "sniffing".

An NFC device can communicate with existing card readers and ISO 14443 as with other NFC devices, these features make it compatible with existing RFID infrastructures.

When we speak about NFC today we immediately refer mobile communication and the possibility to extend the usage of mobile devices as payments terminal. Major firms such Nokia and Google are developing a lot of project related this scenarios anyway we must consider that NFC could be adopted in various areas, healthcare for example. NFC devices can operate in three mode mainly:

  1. as card emulators, providing an alternative storage for information memorized  in a plastic card.
  2. in peer-to-peer mode, where a couple of devices exchange and.
  3. as card/tag reading and writing mode  where an NFC device read or change information stored in an RFID tag or contactless card.

Many US corporations have or are planning to provide NFC devices or solutions, including device manufactures such as Google and Apple, financial services as MasterCard and Visa, Citigroup and also mobile operators such as AT&T and Verizon, big  companies that drive the business and the markets are massive investing on the technologies attracting a multitude of minor firms that provide development for the incoming standard.

The killer application for the future is the one that will make possible for multiple card issuers and payments processors to share space on an NFC handset opening the technology to a scenario rich of applications.

We are in front of one of the business opportunity of our times, several international researches have confirmed it with providing extraordinary figures, according Deloitte firm in fact:

  • Within in 2013 there may be as many as 300 million NFC smartphones and other mobile devices
  • 1 in 6 users worldwide will have an NFC-enabled phone by 2014
  • NFC-based mobile transactions are expected to reach nearly $50 billion worldwide by 2014
  • 500 million people around the world will use their mobile devices as travel tickets on metros,
  • subways and buses by 2015; NFC will drive this growth

The 2015 will be the year of the consecration of NFC technology, over 50% of smartphones will have NFC capability (Gartner Research), NFC technology will be the most-used solution for mobile payment and NFC will enable worldwide transactions totaling about $151.7 billion (Frost & Sullivan), global mobile transactions predicted to grow to more than $1 Trillion by 2015 (Yankee Group), it’s clear the dimension of the business related the standards.

The expected success of the NFC introduction in several sectors will attract the interest of worldwide hackers and cyber criminals, let's remind that the born of a new technology is an unrepeatable opportunity to exploit 0-day vulnerabilities, in the specific case an attack to the standards could impact several sectors with serious consequences.

Although the communication range of NFC is limited to a few centimeters, the standard does not ensure secure communications and several types of attacks are already known in literature. The current ISO standard doesn’t address these attack methods, for example the NFC despite suffers Man In The Middle attacks no protection is offered against eavesdropping making exchanged data vulnerable to data modifications.  Following a short list of the main attacks know of NFC technologies:

  1. Data modification
  2. Eavesdropping
  3. Relay attack
  4. Data Corruption
  5. DDoS Attack
  6. Man In The Middle attack

Near field technology will have also a potentially dramatically impact user’s privacy, as with credit cards, sensitive data are stored on NFC devices that will become targets for cyber criminals. The good news is the security level provided by a device like a smartphone could be better than the one provided by a smartcard.

NFC technology will become omnipresent in our lives, many devices surround us will implements the standards from the mobile phone to the access management system of our office. Payments, accesses, visited places, all this information can be acquired monitoring an NFC devices associated to our identity.

Anyway we must consider that NFC usage could be extend to several sector, from private business to military, for this reason security and privacy are most concerning issues. Several studies indicate that most consumers do not understand current risks and are not diligent about the security of their mobile devices.

"The risks to personal privacy must be addressed," say the authors of "Near Field Communications; Privacy, Regulation & Business Models". "This is not only to protect against surveillance, but it is essential to ensure that there is confidence in the marketplaces that may yet emerge with widespread use of NFC.”

There is no doubt that the NFC will be a revolution in different sectors offering the possibility of having an "all in one" device integrable in a simple and practical way in every architectural solution.

Marketing experts foresee a sustained growth which they must comply, in my opinion, the implementation of security mechanisms and appropriate laws and regulations that take into full account the privacy of users.

Pierluigi Paganini

References

http://securityaffairs.co/wordpress/5090/hacking/nfc-business-opportunities-security-and-privacy-issues.html