NFC: Growing market, growing threat?
By Daniel Ross
With the often-hurried pace of life today, more Australians are using contactless payments to make small purchases quickly. But the tap-and-go trend has security experts warning of a marked increase in mobile malware intended to capture your cash.
These quick payments use a technology called near-field communication (NFC) that allows information to be passed between a chip in the card or phone and an NFC reader at the till. Visa and MasterCard rolled out NFC enabled cards and smartphone devices in 2009. If you've ever used payWave or PayPass you know what they are.
Aussies have proven receptive to the ease with which contactless payments are made. All you need to do is hold an NFC enabled card or mobile phone up to a merchant's NFC point of sale terminal and the payment automatically goes through.
While the convenience is a plus, stories from CBC News and other news organisations have shown the darker side of this payment option. It's vulnerable to new technology, such as mobile apps that can skim information from NFC devices -- a problem some experts expect to worsen as more Aussies jump on the NFC band-wagon.
"This is the future of pick-pocketing," says Tom Kellermann, vice president of security at Trend Micro, a global Internet security firm. "Last year there was a 550 per cent increase in mobile malware detected by Trend Micro ... There are now 504,000 pieces of mobile malware out there hunting Android devices, all of which use NFC."
There are a number of ways hackers can target NFC enabled devices. Kellerman says one such method works in a similar vein to "man-in-the-middle" cyber-attacks, whereby information is intercepted by an eavesdropper posing to be someone else. In the case of NFC attacks, information relayed via radio waves is intercepted by an attacker posing as a merchant.
"The new name for it is merchant-in-the-middle attacks," says Kellermann. "You as a criminal can pretend to be a merchant terminal and you can be any man on his laptop going about his work."
In other words, when a NFC device is used to make purchases, a merchant-in-the-middle can use a computer to hack into the pay terminal and intercept the information without the purchaser's knowledge.
"There is never any form of authentication between the (NFC) device and the terminal," Kellerman says.
Kellermann says a hacker must be within six meters of the victim's NFC device to use the merchant-in-the-middle tactic -- a trick made easy because of the ease with which contactless payments are conducted.
Others disagree. Max Sobell, a senior consultant at New York based security firm Intrepidus Group, believes "merchant-in-the-middle" attacks are almost impossible to achieve, disagreeing with Kellerman about the distance needed between the attacker and their victim.
"I have never seen an eavesdropping attack from any great distance. It's just a pretty impractical premise," he says.
There are other types of attacks that have raised concern. NFC skimming involves a hacker intercepting communications between a payment card and payment terminal without the customer's knowledge. But Sobell says skimming is difficult to accomplish and comes with little financial gain. This is because of a payment verification process that limits the number of times a payment can be fraudulently sought.
Every time a payment is authorized, Sobell says, a security code is used as part of the verification process. With traditional mag stripe cards, the security code can be used an unlimited number of times. The security code produced for a contactless payment authorization is dynamic and is only good for one payment.
"This is one of the main reasons mag stripe is so insecure in comparison to NFC mobile wallets," says Sobell.
Another form of NFC hacking is what Sobell calls a tap attack: when an attacker uses a mobile point of sales system or other device to harvest credentials in close proximity to the victim, such as on a crowded subway.
This is difficult to accomplish on the grounds that an attacker must get extremely close to the victim, with the device over the other person's pocket. The hacker must also keep the device there for a length of time -- up to 30 seconds in some cases.
Chip and pin: the security platform for NFC's
The EMV chip (EMV stands for EuroPay, MasterCard and Visa, and the standard is commonly referred to as "chip and PIN"), has provided the bellwether in credit card security for the past 15 to 20 years. Visa, for instance, has mandated all Visa card transactions use EMV chip and PIN as the verification method.
According to Judy Shaw, director of corporate relations at Visa, while the Visa payWave cards and mobile devices are not fitted with EMV chips, their security systems are based on the EMV security platform.
"We provide multiple layers of security," says Shaw. "On top of that, we monitor all transactions that flow through the Visa network."
She says the mobile device, as a matter of its functionality, comes with added security measures. In case of fraud, the mobile can be deactivated immediately. You can add an extra password before you open the payment option, and it's not linked to other apps, heightening safety from malware attacks.
Should you fall victim to an NFC hacker, Shaw says consumers can expect the same protections given to all victims of credit card fraud: "If there are instances of fraud, consumers can enjoy the same coverage from liability."
As for a record of contactless payment fraud, Shaw says Visa has seen no impact on rates as a result of the uptake of contactless payments.
"The types of fraud attacks that have been highlighted in the media have not been reported in the real world," Shaw says. "The multiple layers of security that protect the transactions make it very difficult to accomplish in the real world and it is unattractive to fraudsters because of the limited potential for gain."
Shaw says 110,000 merchants operate with devices that accept contactless payments. This includes major national retailers. "One of our largest supermarkets, Coles, says nearly half of all their credit card transactions are now contactless," Shaw says.
Visa is also in the process of piloting a number of new contactless technologies with mobile operators Optus and Vodafone. In January, Optus announced its m-wallet payment system, while Vodafone rolled out plans for its SmartPass app last November. Both work in conjunction with Visa payWave.
As new NFC technology finds its way onto the market, Shaw admits there are teething problems to be ironed out. "With all the roll-outs and the new [NFC] technology...it's an educational process," she says.
Sobell, from Intrepidus Group, says the best defence against m-payments theft is the built-in security mechanism to help limit payments.
He suggests doing the following to help prevent attacks:
1. Setting a passcode on the device. In case of loss or theft, an attacker will
not have the opportunity to access your wallet application.
2. Setting a short timeout on your mobile application. The NFC device will lock after the timeout and requires the user to enter his or her PIN again.
3. Ensuring your mobile PIN device is complex, and not something an attacker can easily guess. Never write down this PIN anywhere in the device's storage.
Published: May 13, 2013