Home > Tech Explained

The Security Caveats of NFC Payments

By Miguel Leiva-Gomez
The Security Caveats of NFC Payments Featured Image

The idea of paying for something without using your PIN number isn’t something new anymore. Despite that, the concept exposes you to just as many vulnerabilities (if not more) than it did before.

Previously, I have written about Android Pay’s PIN-less mobile payment system and the negative consequences people can suffer by replacing their PIN numbers with biometric authentication. Now there are devices such as NFC payment rings that further exacerbate the previous vulnerability issues of other similar solutions. It turns out that there are a couple of things you should know before you hop into the bandwagon of convenience that contact-less payments provide.

People Can Listen in on Transactions

nfchack-eavesdropping

Eavesdropping on radio signals is by far one of the oldest practices in modern history. We’ve been doing it since the first world war and have relied on it heavily the second time around. Devices may have become more advanced, but the technique is still relatively untouched. You make a listening device that tunes into the same radio frequency that two other parties are using and listen in on them.

Hackers and researchers have been aware of NFC eavesdropping since at least 2013 when some folks crafted a shopping cart that could easily slip in and “listen” to transactions being made by contact-less payment. To prevent such a phenomenon from happening, readers need to encrypt their connections from end to end. Even then, the possibility of eavesdropping still exists. For consumers to be reliably safe, it’s better to avoid using NFC in crowded places.

The Data Can Be Invalidated

nfchack-payment

This particular problem annoys retailers just as much as shoppers. A hacker can place a device near the reader that corrupts the data going into the reader, making it impossible to make a purchase at that particular counter. Hackers might have an incentive to do this in conjunction with eavesdropping to make sure that the customer does not empty their balance before they have a chance to use it.

The solution to this problem is the same here as it is for eavesdropping. Retailers should use secure channels for transmitting and receiving data on their NFC readers. Although this particular attack doesn’t present a particular threat to either the retailer or the customer (just a lot of frustration), it’s worth repeating the fact that it can be especially dangerous to the customer when hackers choose to combine this with eavesdropping.

The “Man in The Middle” Attack

Described in better detail over here, a man in the middle (MiM) attack is a sophisticated form of eavesdropping in which the hacker will intercept the conversation between the NFC device and the reader processing the payment and send false information to both. This way hackers can invalidate data (sending the reader garbage information as I’ve described above) and receive the NFC payment themselves based on what the NFC device tried to send to the reader.

Because of their sophistication, such attacks are very rare, but the vulnerabilities currently present in NFC transactions create an incentive for hackers to start investing more time in making tools that will carry out these attacks. To make matters worse, hackers can actively listen in on the connection before the encryption “handshake” is complete, making encryption rather useless at this point. But one thing retailers could do is to have an active-passive style of communication where the NFC device simply sends over its data, and the reader simply processes the information and sends back purchase confirmation.

Never Underestimate Pickpocketers

nfchack-wallet

Of course, when you’re not cut out for cleverly hacking your way into payment portals, your best option is to simply grab whatever people are using to pay for things these days. A card is a bit harder to steal since you’d normally have to steal the entire wallet which is sitting inside of a pocket most of the time (some people use their inside coat pocket for their wallets, making this more challenging).

But phones are often kept outside of pockets and easily get lost. Even if they are in a pocket, most people won’t treat their phones with such care as they do their wallets. NFC payment rings take this a little bit further since it is even easier to lose rings. Stealing them is only a matter of finding an opportune moment when someone takes off their rings to wash their hands.

My suggestion for people using phones is to make sure they have some way to remotely lock the device down if it’s lost. Other than that, you should be avoiding NFC payments entirely if it is very important for you to minimize the chances of your money being stolen in any of the nasty ways I’ve described above.

Do you use NFC payments? How do you protect your finances? Tell us in a comment!

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Miguel Leiva-Gomez Avatar
Miguel Leiva-Gomez
Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.

Read next

A woman intently looking at her smartphone while seated indoors, dim lighting.
Tristan Harris, Google’s former design ethicist, told the US Senate that the pull-to-refresh gesture on nearly every app works like the lever of a Las Vegas slot machine, and he has long warned that we now reach for our phones around 150 times a day without ever calling it gambling
In 1969, László Bélády and two IBM colleagues published a paging-machine anomaly showing FIFO could make four memory frames suffer ten page faults after three frames suffered nine, leaving generations of operating-systems students staring at the moment more memory became the wrong answer
When Bell Labs engineer Karl Jansky pointed a rotating antenna at the sky in 1932 looking for sources of transatlantic radio static, he kept picking up a faint hiss that peaked every 23 hours and 56 minutes, and he eventually realized he had become the first human to hear the center of the Milky Way.
The colour magenta does not exist anywhere in the spectrum of visible light, and your brain manufactures it on the spot whenever red and blue cones fire together, inventing a hue to fill a gap that physics never bothered to provide.
Macro view of a smartphone displaying Google and other app icons on the home screen.
On 28 May 2009, Google demoed a product called Wave on stage at I/O for 80 minutes and got a standing ovation from developers who had no idea what they had just watched, and 15 months later the company quietly shut it down because almost nobody could explain to a friend what it was actually for
When Clair Patterson set out in 1948 to measure the age of the Earth using lead in meteorites, his samples kept coming back contaminated, and the seven-year detour he took to find the source ended with him almost single-handedly forcing leaded gasoline out of American cars by 1986.
Close-up view of a vintage IBM circuit board and disk drive showcasing retro computer technology.
The IBM 305 RAMAC stayed in production until 1961, weighed more than a ton, stored five million characters on fifty spinning platters, and still drew customers because the alternative was a room full of punched cards
A close-up of a vintage vinyl record in black and white, emphasizing its grooves.
In 1977, Ann Druyan recorded an hour of her brainwaves and heartbeat two days after she and Carl Sagan agreed to marry, and NASA pressed the compressed minute onto Voyager’s Golden Record as a private love signal now more than 25 billion kilometres from Earth