Modern Payment Security – NFC-Enabled Mobile Devices

by on Aug 02, 2012

altLast month, Corporate Insight covered the evolving mobile payments landscape, where we briefly discussed why Near Field Communication (NFC) has yet to emerge as a popular format for mobile payments.  Since then, there have been two interesting NFC-related developments:

This raises an obvious question: As more NFC-enabled devices enter the market, are security risks a hindrance to the growth of NFC payment technology? Naturally, there are always a significant number of consumers with security concerns when a new technology hits the market, especially one that holds personal and financial information. Despite the security issues that were exposed at the Black Hat conference, overall, NFC’s security flaws are minor and controllable.

Anatomy of the NFC Hack
It’s first important to understand how Mr. Miller was able to gain control of the two devices he hacked. The first, an Android Nexus S, was hacked through “Android Beam,” a feature which allows Android users to share information with one another. He was also able to gain control of a Nokia N9 because, by default, the phone accepts all incoming connections through its NFC reader.  Once he gained control of the phone, malicious files could be loaded, data could be transferred, and the phone’s browser could be used to steal saved passwords and account information.

In order for this hack to be successful, the following needs to be in place:

  • The Android Nexus S must be running Android 2.3 (Gingerbread), the aforementioned “Beam” feature must be enabled, and an NFC chip must essentially touch the phone.
  • The standard settings on the Nokia N9 must be changed so it can always accept any incoming connections.
  • Both phones need to be unlocked and their screens need to be on.

In the case of the Nexus S 18, three new versions of Android have been released and are available to Nexus S owners since its release 18 months ago.  In fact, Android Central has confirmed that the newest version of Android does not contain many of the weaknesses Mr. Miller was able to exploit in Gingerbread.  So while these hacks were a great demonstration by a talented hacker, they were essentially carried out on an 18-month old technology that has since been updated by Google and their mobile carriers.

NFC Security Tips
We have highlighted some serious security flaws with NFC-enabled phones in this article; however, it’s important to note that the hacking threat can be greatly diminished by taking a few simple precautions.   Here are three basic security tips that will help owners of NFC-enabled phones avoid falling prey to hackers:

  1. Set a custom passcode and lock phones after use. 
  2. For Nokia owners, check your settings to ensure your NFC communicator shuts off when the phone is locked.
  3. If you haven’t already, download the latest operating system upon their release.