Suitably safe with NFC
The NFC Forum, which oversees the development of Near Field Communication technology, has set up a Security Technical Working Group. Its job is to find the threats and recommend solutions.
Near Field Communication (NFC) will allow all kinds of new and exciting applications, mostly connected with easier access to information and services. For example, you will be able to touch your device, probably a cell phone or a PDA, to a poster for a movie, and you’ll get information about the film downloaded to your display. You could then buy a couple of tickets for the evening performance. The ticket would be stored on your device, so that when you got to the cinema, you could touch your device to a reader, and it would direct you to your seat.
Watch your back
Sounds wonderful, but there could be plenty of risks in all that. Are you sure that the poster contains a genuine transmitter, and not one placed there to spy on your phone? If so, even if you don’t buy a ticket, the poster might be able to find out quite a lot about you from reading your device. And if you do buy a ticket, there’s all that payment information being exchanged just out on the street. And in the crush just inside the cinema, there might be someone jostling your elbow with a receiver listening for information.
Such issues are being discussed within the NFC Forum’s Security Technical Working Group, which handles security and data protection issues and provides security-related guidance. Its chairman, Albert Dorofeev of Sony Europe, describes his group’s task as a “tough problem.”
He explains: “We can introduce perfect security, but that would require a quantum supercomputer. We have to make sure that the security architecture and standalone measures we propose are suitable for the low-powered resource-restricted devices we deal with in the NFC world.”
Jonathan Collins, senior analyst for RFID and Contactless at ABI Research, says the real problems are in the applications: “NFC is built on existing technology to a large degree, and you already have such standards as ISO 14443* to provide technical security. But the issues are in how the device interacts and how it stores information.
Analyzing the risks
There are plenty of contactless cards around carrying specific pieces of information; the problem with NFC is that one device may carry all your information at once. “But it’s probably safer than having your wallet stolen,” says Collins. “For one thing people tend to notice the loss of their mobile phone within hours, while it’s often days before they report the loss of a credit card.”
Electronic devices can also have security built in, and, since they are on a network, they can be deactivated remotely. But, as Dorofeev points out, people will not want to be worrying about security when they use their NFC devices: “The mobile convenience idea would disappear if we required users to type in passwords all the time. So we have to figure out how to make things secure while requiring minimum, or, better yet, no interaction with the user.”
There are some obvious security pluses. NFC, as its name implies, only operates within very short ranges, so accidental contact to transmitters is unlikely. But it is possible that NFC fraudsters could set up disguised devices near authorized transmitters that could eavesdrop on transactions without being noticed.
Keep it simple
Collins says that people will be worried about security if the security issues are not dealt with and explained clearly before NFC comes into use: “For example, they’ll want to know whether it can make payments without them knowing it as they walk past a terminal.”
Such risks can be reduced if personal information is not exchanged during a transaction and if there’s a limit on how much you can spend each time. Each transaction will make up its own authentication code, so that no one should be able to use the information for another transaction. In addition, NFC devices should be more secure than contactless cards, in that they have a user interface, with a screen and a keyboard, which should allow users to accept or reject transactions.
But Albert Dorofeev doesn’t think we should expect too much of the user. “User comfort comes first – otherwise there’s no advantage in using NFC,” he says. “We have to live with that and figure out secure ways of doing particular scenarios without requiring user interaction.”
*ISO 14443 is an international standard for contactless smart cards operating at 13.56 MHz in close proximity with a reader antenna.
Thanks for your informative post. keep posting
* indicates mandatory field