How secure is mobile Near Field Communications (NFC)?

19 07 2012

Early this September the iPhone 5 is speculated to join the ranks of Near Field Communications enabled smartphones but how secure is this technology? Near Field Communications (NFC) is a wireless, short range, communication protocol between two devices. This communication protocol is currently being used for a variety of micro transactions: for example, Citi Bank Pay Pass, Google Wallet, and four square check in’s using Samsung’s TecTiles. With the focus of NFC on monetary microtransactions it is important to understand how it is vulnerable to attack: eavesdropping, skimming, malicious apps, and theft.

Eavesdropping NFC traffic happens when the owner is actively using NFC and skimming can happen without the owner taking the phone out of their pocket.  With a modified antenna a NFC or modified RFID device it is possible to listen to the NFC exchange past the typical range of about four inches.  Also a simple brush past a phone would be enough to copy the NFC data and hard to detect, especially in a crowded area.  Currently there are several software tools to attack NFC enabled phones, Collin Mulliner’s Python NDEF library, an app called “Google Wallet Cracker app” or a free app in the Goolge play store called, Ecardgrabber.

Malicious apps in mobile app store are a current day reality, on July 5th an app called  “First and Call” was in Apple’s app store and on June 24th “Super Mario Bros” was in the Google Play store.  Both apps have been pulled, but an unknown number of address books have been sold and an unknown number of premium SMS message costing the owners money have been sent by the approved mobile apps.  Those same malicious developers can NFC make apps that operate normally but copy of all stored credit cards to the developer.  Not all consumers are savvy enough to protect themselves and the app stores are have proven they can not protect their user base from every piece of malicious code.

NFC is also vulnerable to physical theft and with the current implementation of Google Wallet there is a maximum of two passcodes between the thief and the NFC’s vault of sensitive information.  However those two passcodes won’t protect your average user because according to Sophos, 67% of users do not have a password on their phone and the most common passcode is “1234”. There have also been proven exploits on the Android platform to reset both the device and google wallet’s pin using a prepaid phone card.

Using a smartphone for Near Field Communication is secure, not absolutely secure, with safe habits and industry support it can become a great tool. NFC has more security than the existing cell phone sms payment methods and necessary industry support to continue growing.  Visa and Samsung believe in NFC, they are giving every olympian a Samsung Galaxy S3 with Visa paywave.

_______________

http://www.popsci.com/gadgets/article/2011-02/near-field-communication-helping-your-smartphone-replace-your-wallet-2010/
http://www.symantec.com/connect/blogs/ecardgrabber-android-app-sniffing-contactless-credit-card-details-over-air
http://blog.eset.com/2012/04/23/qr-codes-and-nfc-chips-preview-and-authorize-should-be-default
http://nakedsecurity.sophos.com/2011/09/20/google-wallet-throw-away/
http://blogs.mcafee.com/mcafee-labs/mobile-nfc-features-raise-security-concerns
http://blogs.mcafee.com/enterprise/mobile/cracking-open-your-google-wallet
http://www.wired.com/gadgetlab/2012/07/first-ios-malware-found/
http://www.pcworld.com/businesscenter/article/259100/security_researchers_find_multistage_android_malware_on_google_play.html
http://blogs.mcafee.com/enterprise/mobile/nfc-payment-test-at-olympics-will-inspire-mobile-attackers-to-go-for-the-gold
http://pressreleases.visa.com/phoenix.zhtml?c=215693&p=irol-newsarticlePR&ID=1693590

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: