NFC contactless payment security

It is about risks weighted against benefits.

Requiring PIN for NFC transactions would reduce main NFC advantage - speed. NFC payments without PIN are used only for payments of limited amount and usually for limited number of transaction and/or limited total amount of transactions per day. Maybe also other bank specific rules apply; at least I was informed by my bank that I may be asked for PIN without reaching any limit. This way card issuing bank or card company limit its risk (in EU you are not liable in the case of fraud for more then 150 EUR as long as you haven’t acted with gross negligence) and keep you using the card often and making profit for them.


Some issues with contactless payments and digital wallets:

  1. Loss or theft -- an attacker gaining access to a device could allow access to the confidential information and allow continuous fraudulent transactions until accounts were disabled and/or fraud was caught. Pulling a SIM card could prevent even the most-stalwart lock and/or lockdown protections, and the SIM card could even be scanned in order to clone
  2. Spoofing -- NFC tags can be reprogrammed, replaced, or subverted (e.g., covered) by a new, malicious tag. Windows Phone devices are extremely susceptible to tag attacks, e.g., web-based protocol handlers, but others may be as well
  3. Skimming -- An attacker can read information from NFC without the user's knowledge or consent, often from a distance
  4. Eavesdropping -- Using an antenna, an attacker can listen to an exchange between NFC devices. Certainly 100cm distance is not out of the question
  5. Data corruption -- Standard meaconing, interference, jamming, and interception (MIJI) techniques are possible because NFC is based on radio frequency
  6. Data modification/insertion -- although more complicated than data corruption, these attacks are very possible and real
  7. Relay, or proxy, attacks -- NFCProxy and others have shown that two Android devices can do quite a lot to live relay and/or store for replay at a later time

Check out these prezos for just a ton of information:

  • http://www.slideshare.net/0xroot/demystifying-apple-pie-touchid
  • https://www.syscan.org/index.php/download/get/b76f003a5aaa39a780c660e557f2ac6a/SyScan15%20Peter%20Fillmore%20-%20Crash%20and%20Pay:%20Owning%20and%20Cloning%20NFC%20Payment%20cards.pdf
  • https://www.lateralsecurity.com/downloads/Lateral_Security-NFC-Redux-Kiwicon6.pdf
  • http://www.slideshare.net/peterswedin/nfc-attacks
  • http://eandt.theiet.org/news/2013/oct/hacking-contactless-card.cfm

Or tools: http://wiki.yobi.be/wiki/Android_Apps#NFC-related


What you seem to be missing is that you are not making the risk-security tradeoff here. The NFC-without-PIN decision is up to the bank, because the bank is liable for any fraud up to the legal limit (150 EUR). If your payment is skimmed by one of the thieves as you fear, it will be your bank that has to pay the expense of the transaction, not you.

This, of course, assumes that someone detects the fraud. Major US banks have some pretty sophisticated fraud detection systems in place; if they see a card used in two different geographies at the same time, they can place a fraud block on a card. And it is your responsibility to read your bill each month and look at the charges, but that hasn't changed -- reading your bill has always been your responsibility. But if they don't spot it, and you don't spot it, yes, you will eat it.

They are trying to make the cards more convenient at their own expense. Why? The intent is that the convenience will be an incentive for consumers to use their NFC for small amounts, because they make money on each transaction, no matter how small. For this extra income, they are willing to risk some money on minor fraud.

Accepting this risk doesn't mean they are accepting a lot of risk. If you tell your bank that you did not make a specific small payment without a PIN, they will reverse it, but they will then flag your account and watch your complaints more carefully. If you demonstrate a pattern of reporting fraud but there is never any evidence, they will start investigating you.

They are certainly free to change this approach if NFC-relay-skimming becomes a serious financial threat. They are going to monitor this closely. If skimming apps become popular amongst the thieving crowd, or the banks start losing millions of Euros every week, they will certainly change their strategies. But until that dark day arrives, they expect to profit from this.