18

I don't have an NFC-enabled device and I couldn't find any information about this in Google. What is it that protects me against an attacker with a portable NFC terminal charging payments by just bumping into me on the street? Do all NFC devices require user interaction to confirm payment?

I can see how a mobile phone might ask me to confirm the payment, but an NFC-enabled credit card is unlikely to have the input or output devices to prompt me for such a confirmation.

One major factor in NFC security is that near field is difficult to range-extend and so charge from a distance, but it has been demonstrated up to 115 cm. Which is not as crazy as the range extension for keyless car entry, but still significant.

RomanSt
  • 1,180
  • 9
  • 25
  • Additional information from 2006. http://events.iaik.tugraz.at/RFIDSec06/Program/papers/002%20-%20Security%20in%20NFC.pdf – Bernie White Jul 03 '12 at 19:46

3 Answers3

10

There is nothing to stop the NFC being read from a card in the UK according to this study conducted recently by a security firm called ViaForensics.

On a NFC enabled phone the article states that the NFC hardware is switched off when the screen is not lit.

original link (broken as of 2015-oct-27)

Édouard Lopez
  • 103
  • 4
SomethingSmithe
  • 452
  • 3
  • 13
  • 2
    On an NFC-enabled phone, whether NFC is disabled when the screen is off is determined by power saving considerations, not by security considerations. One NFC use case requires NFC always-on (transportation), but this is a battery drain so vendors are divided as to what to do. – Gilles 'SO- stop being evil' Jun 28 '12 at 18:15
8

The card is supposed to authenticate the reader, so that only legitimate (bank-issued) readers can access the card. This does not preclude a legitimate reader making fake payments, either because the merchant is dishonest or because the reader was stolen. The payment should be traceable though, and the bank should be responsible for any charge resulting of their lack of security.

Banks and other providers of financial services are waffling between always requiring a PIN (which is disruptive, and is vulnerable to terminal spoofing anyway) and not requiring a PIN for small transactions (which is risky, but practically required for use cases such as paying for a subway ticket when passing a fare gate).

Note the “supposed to”, “should”, etc. This is a new ecosystem, and the security expectations haven't crystallized yet. The security achieved by NFC cards and devices tends to be less than chip-and-PIN contact cards, but more than filling out the card number and expiration date on a web page.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • 5
    This seems to be incorrect in that the card doesn't authenticate the reader at all. The reader does authenticate the card however. You can read the details off a card and get get a transaction approved by a card just using a PC or a phone, the card doesn't care where the commands are coming from. – Peanut Aug 05 '13 at 17:32
  • 1
    I'd go for a system that requires me to simply press a button on the card while it's being processed. Just to confirm that someone is physically in possession of the card and intending to pay with it. This would preclude anyone charging me when it's in my pocket, without requiring a pin. A reasonable trade-off maybe? – RomanSt Apr 18 '15 at 16:35
2

you have to enter a pin to complete the transaction. source: http://www.google.com/wallet/how-it-works-security.html

Thawab
  • 89
  • 3
  • 4
    How do you enter a PIN on a **card**? – curiousguy Jun 28 '12 at 12:41
  • @curiousguy http://www.google.com/wallet/what-is-google-wallet.html – Thawab Jun 28 '12 at 12:51
  • So you admit you cannot enter a PIN on a credit card? – curiousguy Jun 28 '12 at 13:15
  • 3
    Not 100% correct @curiousguy the British bank Barclay's will ask for your pin to be typed into the NFC reader "occasionally". https://www.barclaycard.co.uk/personal/getting-more/contactless But that will be just to authorise a payment. I'm sure the information held on the NFC is probably still readable. – SomethingSmithe Jun 28 '12 at 14:05
  • @SomethingSmithe It wouldn't be unlike banks to do this just for the show, whereby there's no real cryptography going on. (where the bank could verify that the user actually provided the pin to the reader). – RomanSt Jun 28 '12 at 14:18
  • 3
    @curiousguy - You need to stop being literal about everything. I don't even see the word "card" used in his answer. If a pin is required you would input it into the reader not the card. – Ramhound Jun 28 '12 at 14:24
  • @romkyns I did some more research into the production process of Barclay's NFC technology. They have a NFC sticker called a "Paytag" which is encrypted twice which is probably a similar technique to their cards. https://www.barclaycard.co.uk/personal/paytag/paytag/production-process Regarding the PIN entry, it _should_ be logged on their systems whether a PIN was requested or not. – SomethingSmithe Jun 28 '12 at 14:35
  • 1
    @Ramhound "_I don't even see the word "card" used in his answer._" No, but I see it in the **question**. – curiousguy Jun 28 '12 at 15:34
  • @SomethingSmithe When Barclays ask you to type in your PIN if you try to NFC it's to do a Chip & PIN transaction because you've already done a bunch of NFC transactions. An NFC transaction won't use a PIN. i.e. curiousguy is right. – Peanut Aug 05 '13 at 17:25
  • In my country you only need the pin for expenses above 20€, otherwise no pin is needed. – YoMismo Oct 27 '15 at 11:23