Home > Tech Explained

The Security Caveats of NFC Payments

By Miguel Leiva-Gomez
The Security Caveats of NFC Payments Featured Image

The idea of paying for something without using your PIN number isn’t something new anymore. Despite that, the concept exposes you to just as many vulnerabilities (if not more) than it did before.

Previously, I have written about Android Pay’s PIN-less mobile payment system and the negative consequences people can suffer by replacing their PIN numbers with biometric authentication. Now there are devices such as NFC payment rings that further exacerbate the previous vulnerability issues of other similar solutions. It turns out that there are a couple of things you should know before you hop into the bandwagon of convenience that contact-less payments provide.

People Can Listen in on Transactions

nfchack-eavesdropping

Eavesdropping on radio signals is by far one of the oldest practices in modern history. We’ve been doing it since the first world war and have relied on it heavily the second time around. Devices may have become more advanced, but the technique is still relatively untouched. You make a listening device that tunes into the same radio frequency that two other parties are using and listen in on them.

Hackers and researchers have been aware of NFC eavesdropping since at least 2013 when some folks crafted a shopping cart that could easily slip in and “listen” to transactions being made by contact-less payment. To prevent such a phenomenon from happening, readers need to encrypt their connections from end to end. Even then, the possibility of eavesdropping still exists. For consumers to be reliably safe, it’s better to avoid using NFC in crowded places.

The Data Can Be Invalidated

nfchack-payment

This particular problem annoys retailers just as much as shoppers. A hacker can place a device near the reader that corrupts the data going into the reader, making it impossible to make a purchase at that particular counter. Hackers might have an incentive to do this in conjunction with eavesdropping to make sure that the customer does not empty their balance before they have a chance to use it.

The solution to this problem is the same here as it is for eavesdropping. Retailers should use secure channels for transmitting and receiving data on their NFC readers. Although this particular attack doesn’t present a particular threat to either the retailer or the customer (just a lot of frustration), it’s worth repeating the fact that it can be especially dangerous to the customer when hackers choose to combine this with eavesdropping.

The “Man in The Middle” Attack

Described in better detail over here, a man in the middle (MiM) attack is a sophisticated form of eavesdropping in which the hacker will intercept the conversation between the NFC device and the reader processing the payment and send false information to both. This way hackers can invalidate data (sending the reader garbage information as I’ve described above) and receive the NFC payment themselves based on what the NFC device tried to send to the reader.

Because of their sophistication, such attacks are very rare, but the vulnerabilities currently present in NFC transactions create an incentive for hackers to start investing more time in making tools that will carry out these attacks. To make matters worse, hackers can actively listen in on the connection before the encryption “handshake” is complete, making encryption rather useless at this point. But one thing retailers could do is to have an active-passive style of communication where the NFC device simply sends over its data, and the reader simply processes the information and sends back purchase confirmation.

Never Underestimate Pickpocketers

nfchack-wallet

Of course, when you’re not cut out for cleverly hacking your way into payment portals, your best option is to simply grab whatever people are using to pay for things these days. A card is a bit harder to steal since you’d normally have to steal the entire wallet which is sitting inside of a pocket most of the time (some people use their inside coat pocket for their wallets, making this more challenging).

But phones are often kept outside of pockets and easily get lost. Even if they are in a pocket, most people won’t treat their phones with such care as they do their wallets. NFC payment rings take this a little bit further since it is even easier to lose rings. Stealing them is only a matter of finding an opportune moment when someone takes off their rings to wash their hands.

My suggestion for people using phones is to make sure they have some way to remotely lock the device down if it’s lost. Other than that, you should be avoiding NFC payments entirely if it is very important for you to minimize the chances of your money being stolen in any of the nasty ways I’ve described above.

Do you use NFC payments? How do you protect your finances? Tell us in a comment!

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Miguel Leiva-Gomez Avatar
Miguel Leiva-Gomez
Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.

Read next

When Sony shipped the first Walkman in 1979, chairman Akio Morita insisted on a second headphone jack and a “hotline” talk button, convinced it would be rude for one person to listen to music alone — and within a few years buyers had ignored the sociable features so completely that Sony quietly dropped them
Russia still custom-builds the Soyuz return seats for ISS crew members using plaster casts taken weeks before launch, because astronauts grow as much as five centimetres taller during a long-duration stay and a seat moulded to their Earth-shaped spine would no longer fit the body that comes home
Close-up of a young adult using a smartphone outdoors, highlighting modern technology and connectivity.
The “CrackBerry” nickname stuck for a reason — and the variable-reward psychology that hooked early-2000s executives on their BlackBerrys is the exact same machinery now running every push notification on every smartphone in your pocket
In 1843, Ada Lovelace described a brass-and-punched-card engine that could act on symbols as well as numbers, even composing music if harmony could be reduced to rules, inside seven translator’s notes three times longer than the paper itself
Bright modern laboratory with computers and technical equipment for research and analysis.
ARPANET sent its first message on 29 October 1969 from a lab at UCLA to a machine at Stanford, and the message was supposed to read ‘LOGIN’ — but the system crashed after the L and the O, meaning the first word ever transmitted over the network that became the internet was, by accident, ‘LO’.
In 1995, Microsoft shipped a cartoon-house interface called Bob, led by Melinda French, who married Bill Gates while it was in development — it demanded twice the memory of a typical home PC, sold roughly 30,000 copies, and was dead within a year, leaving behind the font Comic Sans and the animated assistant that became Clippy.
Stunning underwater shot of tiger sharks swimming among fish in the ocean depths.
The Greenland shark grows about one centimetre a year, does not reach sexual maturity until around age 150, and a specimen carbon-dated by Danish researchers in 2016 was estimated to be at least 272 years old, meaning it was already swimming the North Atlantic when Mozart was composing symphonies.
A person using a smartphone with a green screen surrounded by fresh fruits and vegetables in the kitchen.
When Apple shipped iOS 12 in June 2018, a small feature called Screen Time slipped onto every iPhone with a counter nobody had quite prepared for — a tally of pickups — and within a day Tim Cook was telling CNN the number of times he picked up his own phone was simply too many