blog posts

How Does "Near Field Communication" Technology Work And What Security Risks Does It Have?

How Does “Near Field Communication” Technology Work And What Security Risks Does It Have?

“Near Field Communication” (NFC) Technology Has Been Attracting The Attention Of Users And Organizations For Some Time, And Due To The Good Benefits It Offers, It Is Expected That The Adoption Of This Technology Will Increase In The Next Few Years. 

However, the said technology is not without flaws, and you should pay attention to security issues when using it.

This article will examine the potential risks you should be aware of when using NFC.

What is near-field communication?

“Near-Field Communication ” is a short-range wireless connection technology that uses magnetic field induction to enable communication between devices when they touch or are within a few centimeters. The above technology is used in various fields such as validating credit cards, authentication, opening physical locks, transferring small files, and implementing wireless links.

The above technology is based on the radio frequency identification (RFID) tag ecosystem and expands the technology’s functionality. At first, it was supposed to be NFCIt is used to transfer files through smartphones using Android Beam, but the efficiency of the above technology made it used in more severe and advanced fields. For example, current services like Google Nearby Share use NFC to configure wireless services connected to networks like Wi-Fi Direct.

NFC allows users and organizations to use the inherent capabilities of devices such as smartphones efficiently. Today, all smartphones are equipped with NFC chips and applications such as Apple Pay, Google Pay, Samsung Pay, and similar examples that allow interaction with billions of RFID tags and terminals.

NFC allows users to load the details of various credit cards onto their smartphones and use them to make payments, access different parts of a building, open car doors, and more.

NFC supports interactive applications based on basic RFID capabilities, such as pairing devices with each other through common communication mechanisms in a simple way.

The NFC technology is a short-range encrypted wireless communication that can exchange information at an average speed of 424 Kb/s in the frequency band of 13.56 MHz. NFC is specially designed for smartphones and has the following three main features:

  •  It can use instead of credit cards, so you can use the mentioned technology, just like credit cards, to make financial transactions.
  •  It can be used as a reader of RFID tags.
  •  It can be used as a reader and transmitter. As a result, it enables the exchange of information between two devices equipped with NFC.

NFC is based on short-range communication; for example, a user must be within 3.5 inches (8.89 cm) of an NFC terminal to process a payment or open a door. Another essential feature of the above technology is that it consumes minimal energy to perform basic tasks such as listening and responding to requests.

NFC tags collect energy from smartphones or other devices through a magnetic induction mechanism, effectively implementing a form of wireless energy transfer. Once the power reaches the NFC tag, the tag transmits up to 32 Kbit of data, depending on the tag type.

Communication experts describe NFC technology as complementary to wireless technologies such as Bluetooth, Ultra Wide Band (UWB), Wi-Fi Direct, and QR codes. NFC is the easiest way to establish wireless communication; Hence, it plays an essential role in the ever-increasing expansion of the Internet of Things. However, it does not perform well in establishing and maintaining communication over long distances or periods.

How does NFC work?

NFC works based on three innovations: wireless tag readers, encrypted credit card processing, and peer-to-peer (P2P) connectivity. Based on RFID standards and specifications, such as ISO/IEC 14443 and ISO/IEC 15963, this technology allows users to use NFC in various applications. NFC’s significant difference from other technologies is the way data is sent. While most radio technologies transmit data through the emission of radio waves, NFC transmits data by inducing a magnetic field at a wavelength of 22 meters and a frequency of 13.56 MHz.

An essential aspect of transmitting data via inductive coupling instead of radio waves is that the field created by the radio waves fades away quickly. In this case, hackers can barely eavesdrop on credit card transactions, door access codes, and the like, but there are still risks.

The second major innovation of NFC is the encrypted credit card processing used for contactless payments. Public key cryptography allows the card to generate a new authentication code for each transaction without revealing the raw card details or the three-digit code behind it. As a result, it is difficult for hackers to obtain transaction details and identity information in crowded places.

Is NFC used in Iran?

The country’s first intelligent electronic transaction system, Samarai, was launched based on SIM card technology to develop e-government services by Rightel Communication Services Company. By using the NFC SIM card technology equipped with the “mobile signature service” of Rightel, for the first time in the country, provided a transparent, competitive environment between the suppliers of goods and services and facilitated and sped up the processes of electronic transactions through new technologies instead of tokens.

By offering this type of SIM card that is equipped with “Mobile Signature Service” (MSS) of Rightel, two critical factors of security and transparency of electronic transactions based on the latest standards of e-commerce in the world, i.e., proving the identity of the user and the citation of digital documents for all suppliers of goods and services using this The system is provided. Of course, Rightel is not alone in this field, and two operators, Irancell and Hamar first, have also provided services.

For example, Irancell’s NFC service is a mobile wallet that allows customers to make micropayments using their mobile phones. For example, a user can use a mobile phone while entering the subway or bus.

Ice. The first companion also provides an NFC service with the help of the Jeering service. More precisely, he places his mobile phone on the card reader and uses the service. The user’s smartphone must be equipped with NFC technology. Otherwise, an NFC antenna must be installed behind the mobile battery on the SIM card to use the above service.

Jeering’s NFC service is different from Irancell’s service. In the above service, you do not need a SIM card with NFC capability, and having a phone equipped with NFC is not. This service is a tag that, by sticking on the back of any mobile phone, the user can make micropayments.

Essential applications of NFC technology

As we mentioned, NFC technology has many applications, the most important of which are secure access to resources, financial transactions, and tracking the status of employees in an organization, with their knowledge or sometimes without their knowledge. This issue has caused privacy protection organizations to express concern about tracking without the knowledge of employees. Of course, the range of threats is not limited to monitoring employees, and this technology faces serious challenges such as fraud in processing and payments, eavesdropping, and replay attacks.

NFC is used for proximity data exchange and can be supplemented with RFID capabilities to extend the operating range of NFC   tags.

In recent years, the use of NFC in the devices used by users has grown significantly. With the release of Android KitKat, Google provided support for the above technology to Android and Apple along with the iOS 11 update to support NFC so that users immediately notice the above technology, organizations, and financial institutions.

Among the primary applications of this technology in consumer devices, we should mention the Tap-to-Pay capabilities provided by Apple Pay and Google Pay. At point-of-sale terminals, NFC enables contactless payment via smartphones or NFC-enabled credit cards.

In connection with institutional users, NFC is used in smart cards to control access to different parts of the building and open doors with smart locks. Also, it is possible to use the technology mentioned above for authentication, so some countries require passports equipped with NFC technology. have been used to prevent the forgery of passports.

The chips used in electronic passports have a memory of 32 kilobytes, and information such as facial recognition, fingerprints, and iris information of people are stored in them so that the identity recognition process can be done faster at the entry gates of countries.

The most significant advantage of the above chip is that it has made the process of forging passports more difficult than before, as each ticket and chip has an uncopyable identification number to reduce the possibility of any forgery or theft. In this case, the passport scanners use hashing and digital signature functions to read passport information.

NFC technology can use intelligent tags such as Apple AirTags, Samsung Galaxy SmartTags, and Tile titles to make it easy for the IT team to track devices and users within an organization.

Potential risks of NFC for companies

NFC is an easy-to-use technology for consumers and businesses because it is the easiest to use. However, there are some potential security risks surrounding it.

1. Privacy

One of the most significant security risks is the violation of people’s privacy. Hackers can use this technology, specifically Apple AirTags, to track users’ locations without their knowledge. With the design of NFC intelligent tags, the possibility of tracking devices has become easier than before. For example, if someone has a card equipped with an NFC tag in their wallet, it is possible to identify their location. Now, if this person is a large organization’s CEO or senior manager, hackers can locate every place he goes using advanced tools.

2. Payment fraud

Another risk surrounding payment via NFC is the possibility of misuse and fraud. Unlike traditional credit card payments that involve a digital signature that shows the person’s identity or EMV chips and PIN payment mechanisms, NFC payments do not have this extra validation step. Hence, there is no way to verify that a person using an NFC -enabled smart card is the card owner.

3. Data manipulation

NFC is a suitable option for sending and receiving data over short distances. Still, if proper encryption mechanisms and security controls are not used, the possibility of data manipulation is not far off. Data tampering may be accomplished by using an unauthorized card reader device that tampers with the data exchange. For example, it is possible to falsify transaction information so that withdrawals are made with higher amounts than the user would see when using a contactless payment method.

A hacker can manipulate the data transferred between two NFC devices if they are within range of the two devices exchanging information. Data corruption is the most common form of tampering, known as “Data Disruption” or “Data Destruction.”

Data corruption occurs when a third party attempts to corrupt data in transit between devices. It is done by inserting invalid information in the communication channel, which leads to channel blocking. In this case, the original message becomes unreadable. Unfortunately, there is no solution to prevent the destruction of NFC data, but it is possible to identify the source that caused this problem.

4. Eavesdropping and data interception

From a technical perspective, NFC is a short-range technology. To be more precise, the two parties in the process of sending and receiving data must be physically close to each other. In such a situation, it is not possible to implement a man-in-the-middle attack. So that hackers can listen and intercept the information exchanged between two nodes. This type of attack is sometimes called RFID skimming. Data interception occurs when a hacker eavesdrops on data between two NFC devices. Once the data is intercepted, the hacker can do one of three things:

  •  Passively capture data and send it to the recipient without manipulation.
  •  Send information to a third-party device.
  •  Alter the information so that the actual recipient receives false data.

More precisely, it is possible to intercept data by implementing a man-in-the-middle attack. A man-in-the-middle attack is dangerous because hackers can steal sensitive data, but the success rate is low due to the short range of NFC. Also, encryption and a secure communication channel can thwart attempts to intercept data.

5. Replay attacks

Another security risk surrounding NFC is related to payments based on this technology. So that cybercriminals can use the replay attack technique of a session.

In a session replay attack, the information used to execute a transaction in a session is replayed or repeated a second time to record the transaction twice for the user. Session replay attacks are not unique to NFC and are used by hackers in various contexts. Still, successfully implementing this attack with NCF will make a user pay twice as much to purchase an item while assuming that only one payment has been made.

6. Download mobile malware

As we mentioned, NFC was developed to transfer data between mobile devices. A hacker may try to send some malware to users’ phones or organizational devices through the above technology.

How do we reduce security risks around NFC?

Companies and users who intend to use NFC technology should be aware of its security risks, but there are ways to reduce the risks surrounding this technology. Among the essential strategies to minimize risks, should mention the following :

Update operating system and software

A significant part of the risks of NFC is due to the lack of patching of the operating system or the application that uses the above technology. When a vulnerability is identified, and information is released, companies release updates to patch the firmware, operating system, and application.

Privacy improvements aimed at limiting unwanted tracking

NFC smart tags can also mitigate risks by notifying users of potential privacy breaches. For example, Apple sends alerts to AirTag users as part of its new operating system update. This alert informs users that they can use NFC intelligent tags to track users. This warning is sent because tracking users in some countries without their information is punishable. In addition to warning users to identify programs that track their location without their knowledge, Apple has provided solutions to disable this technology.

Make sure encryption is configured correctly.

Enterprise users looking to mitigate attack vectors such as man-in-the-middle and replay should ensure that encryption is configured correctly. Encryption is essential when dealing with data in transit using the Transport Layer Sockets (TLS) protocol, which encrypts data as it travels from one point to another. The above protocol prevents replay attacks aimed at data manipulation from being successfully implemented.

Do not use untrusted sales terminals.

If you have purchased NFC -based payment cards, use only trusted card readers. It also applies to regular bank cards. When you go to a store to make a purchase, the POS device must be in front of you. Otherwise, the seller may use a scanner to copy the technical information of the card. If you feel that the point of sale terminal has been tampered with in a way that does not work correctly, look for another payment method if possible.

If NFC auto-download is enabled, disable it.

Most modern devices do not allow the automatic data transfer by default. Instead, they display a dialog box the user must touch to send or receive data. To reduce the risk of transmitting sensitive data, ensure that devices are not sending or receiving data without your knowledge.