A security analysis of NFC payment

A security analysis of NFC payment

Helen Liu(V00832107), Maisha Mir, Nathan Jenkins(V00851969)

NFC payments make use of NFC enabled microchips to provide a fast, contactless method of transaction. Although it is advertised as a secure way to make payments, as it does not involve use of WiFi or mobile networks, its security system or lack thereof is a cause for concern. These cards follow a security protocol similar to magnetic stripe cards and have no additional cryptographic protection. But because these cards can be read in proximity there are potential security threats. Previous exploits made use of fake WiFi hotspots to manipulate the amount of a payment or ask a user to create a profile and steal the one-time use dynamic token.

This is important because by understanding why security issues arise with NFC, we can develop solutions which will help us make this kind of contactless transactions more secure in the future.

Apple Pay and Google Pay both added additional layers of security unto the existing NFC framework. Their implementation includes the tokenization of card details (no actual credit card data is stored), tokenization of transaction details (one time key is used to generate tokenized payment info) and additional user authentication. Although these tokens are meant to be for one time use, some payment terminals are setup to allow the same token to be used twice. In addition, scammers could buy stolen customer identities and load them into Apple Pay to use for transactions. Wormhole attacks are also possible with two phones and a laptop functioning as a NFCGate server to authorize a payment with the victim in close proximity.

Although NFC payment methods are generally more secure than a traditional contactless credit card, there are some vulnerabilities that should be addressed. One way to make it harder for attackers to exploit NFC is to add another authorization step for users to complete before the transaction can be completed. Further research is needed to find better solutions or suggest similar alternatives to NFC payment.

A common fear of current NFC payment methods is the risk that an attacker is able to intercept sensitive data from a credit card or NFC payment device. If the attacker is in close proximity to the victim, they can easily tap on the user’s card or device with a receiver and collect unauthorized information. Alternatively, if the attacker modifies a point of sale device they could remotely remotely intercept this same information.