To tap or not to tap: Are NFC payments safer?

Magnetic stripe cards were all the rage 20 or so years ago, but their security is weakand the requirement for signatures often adds to the inconvenience of transactions – not to mention, they lack data encryption, making them vulnerable to skimming and cloning by criminals.

Chip-based cards emerged as a successor, offering more security by encrypting data. These cards require insertion at payment terminals (POS) and authentication with a PIN, marking a shift towards more secure transaction methods. From a security standpoint, chip-based cards are a clear improvement, as they require authentication and offer additional on-card security due to encryption. However, these cards still vulnerable to cloning or information theftalthough committing such crimes is more difficult than magnetic stripe cards.

The NFC standard

Near-field communication, or NFC, which evolved from radio frequency identification (RFID), emerged as a new payment standard in the late 2010s. With this technology, the original chip-based cards become more useful, because instead of inserting them into payment terminals and ATMs, all that is required is to tap an NFC-enabled payment device. to transfer money.

What can be a payment device? Besides contactless cards, phones can also serve this function through services such as Apple Pay or Google Paywhich, after uploading your card details to the service, enables you to use your phone for payment.

Iphone and a card held together in one hand

Both cards and phones can serve as payment methods through NFC technology.
(Source: Shutterstock)

The process by which NFC payments work is similar to Bluetooth or other wireless communication systems, which use radio waves to activate and verify the information being transmitted. This data is decoded by an antenna. In particular, in the case of a payment, the terminal receives information from the phone, which it then processes and approves to facilitate the transaction.

Due to the very short range of NFC, it is not useful for large data transfers. Unlike Wi-Fi or Bluetooth, it is slower and requires two communication devices to be nearby. It has some similarities with the infrared file transfers of the past, which worked similarly but were less convenient and only worked half the time: You have to be very precise in how you place your phones, and the sensors should almost touch (here is an old manual shows the function).

How secure is NFC?

Since its main application is to facilitate contactless transactions, one might think that it must be completely secure, right?
It is, sort of. Compared to other methods of wireless communication, it is more difficult to intercept because of the proximity required for it to work, but that does not mean that it cannot be found in some forms of cyberattacks.

One of the most common attack methods when it comes to wireless communication is man-in-the-middle (MITM) attack.. In order for them to work, there must be some device (device, fake website, emails) that intercepts the communication between two devices/users, which then decrypts and relays the necessary data to the attacker. attack. This is one of the reasons for using public Wi-Fi is very dangerous; It doesn’t take much to set up a fake hotspot with the same name as a business/city location, and since people want to use it, it’s easy for a criminal to compromise communications from devices using in hotspots.

Are MITM attacks applicable to NFC? Kind of. Even if it technically existed as a threat, it really doesn’t, for a number of reasons. First, to “skim” NFC communication, a reader must approach the card/phone to read the required data. Second, the hacker must have some special tool to do that as well. Honestly, it’s easier to have your phone/card stolen.

Possibly, payment terminals may be compromised. However, unlike regular card skimming, NFC communication is encrypted and tokenized – meaning that a card can hardly be duplicated thanks to its hidden information.
However, don’t think that an opportunist won’t still try to “fight” you to get card details, and because wireless car key attacks also available (which uses similar RFID technology to work as NFC), credit cards and phones are at risk.

Security should not be underestimated

Although it is true that NFC technology is more secure, especially when it comes to payments, this does not mean that it is infallible, as malicious actors can easily exploit some vulnerabilities to get what they want.

For example, a researcher in 2021 demonstrated an attack where he used an Android app to simply “wave” in NFC-enabled ATMs to compromise it. This is possible due to some bugs in the software of the machines, which can also be a reality for other forms of payment terminals as well.

System errors and security holes will always exist, so even cyber insurance providers often point to vulnerability patching as a requirement for coverage.

In addition, since NFC payments are inherently built based on the aspect of convenience, there is a lack of additional authentication (such as a PIN) required by a regular chip-based card, for example. So, If someone steals your credit card, they can easily make a fraudulent payment without having to input a code (up to a certain amount), and depending on the limits you set in payment, the amounts can be high.

Phone payments – are they safer?

As mentioned before, NFC capabilities are also available in phones. But are they safer? Since Apple Pay, Google Pay, etc. require additional security in the form of a PIN, fingerprint, face scan, or something else you can use on your phone, there is an additional security. Also, both payment services only work on a case-by-case basis, so there is little chance that someone will calmly initiate a payment from you. In addition, using Apple or Google Pay does not send your account details, and, if you lose your device, it’s easy remotely disable these services.

An iPhone with Apple Pay open tries to pay at an NFC payment terminal
Services such as Apple Pay require additional biometric verification to make payments.
(Credit: Christian Koepke on Unsplash)

Also, while smartwatches are good in many ways, enabling payments through them can be problematic, especially due to the lack of additional authentication beyond a short PIN required to unlock the watch. The assumption is that the watch on the wearer’s wrist serves as a form of authentication. However, considering that watches can be stolen and are often protected by a four-digit PIN, this is not always a sufficiently secure method for transactions.

How to make your contactless payments more secure

To end this article on a more positive note, there are ways you can make your contactless payments more secure. Here’s how:

  • Try RFID blockers – This is small cards or wallets which creates a barrier between your card and the outside world, reducing potential skimming attacks.
  • Set a lower payment limit – This can be done through your bank or their software, where you can set a maximum limit on how much you can buy through contactless payments.
  • Use of phone payments – Although these apps may have their flaws, they are more secure than contactless cards, thanks to additional authentication requirements.
  • Use money – This probably needs no explanation. However, you may worry about carrying large amounts of cash in your wallet, which can also be stolen.
  • Skip the smartwatches – Due to low security, enabling payment on smartwatches may cause potential problems.
  • Get a travel card – If you are concerned about the express payments angle, get a top-up travel card, if possible, instead of using your own credit card/phone as a means of paying for tickets.

And these are just a few methods you can use to have a more secure payment. Of course, no security solution can give you a 100% guarantee, but even small, simple steps can go a long way in making you less likely to experience misfortune.

Before you go: Mobile payment applications: How to stay safe when paying with your phone

Leave a comment