Near Field Communication or NFC is a convenient technology used to exchange data between two devices. Currently, NFC tags are used to allow and restrict access to rooms and devices, to transact, and store information. NFC is a widely used technology, and it’s no surprise that hackers find ways to exploit the technology. It has vulnerabilities, and it's essential first to understand the vulnerabilities to know how to mitigate the risks.
How Vulnerable is NFC Technology?
For a technology that’s fairly vulnerable to hacks, it is a somewhat secure platform for transactions and access control. The data exchange can only occur at a distance of roughly four cms. Any bad actor who wants to hack an NFC device or infect it with malware must get uncomfortably close to the victim or look for other ways to attack. NFC is a secure technology, but it has some risks.
Potential NFC Risks
Using NFC can have certain risks for businesses, especially those that deal with sensitive information. Hackers can compromise an NFC and NFC device’s security and tamper with data or steal information. Below are some of the risks people can encounter when using NFC in any capacity.
The risks with NFC technology aren't limited to hackers stealing information from an NFC tag or infecting an NFC-enabled smartphone using their own tags. Bad actors can plant an NFC tag, like an Apple AirTag, to track someone’s movements. Because the tag is so small, it's easy not to notice them once planted in a bag.
Payment Processing FraudsPaying using a credit card usually requires cardholders to provide a user signature or a PIN code to verify the cardholder’s identity. NFC payments do not have this validation step, so thieves can easily use a stolen card without any worries. Using NFC cards can also be risky when hackers set up their own NFC readers on machines to skin NFC credit or debit cards.
Eavesdropping and Data Interception
NFC is naturally a short-range technology, meaning that data exchange can only happen when the NFC tag and the reader are close to each other. While this may make the data exchange seem secure, a man-in-the-middle attack can still occur through RFID skimming.
Data Corruption and Tampering
NFC is widely used to exchange data, but there is a risk of the data itself getting corrupted. When a bad actor’s card reader or any other unauthorised reader reads an NFC tag, there is a possibility for the data exchange to be tampered with and for the data to be corrupted. Data corruption is a perfect way to lose data. Bad actors will usually tamper with the exchange to authorise questionable transactions, like paying higher than the amount shown on the reader's screen.
Because some ATMs have begun using NFC technology for contactless payments, hackers have also developed ways to hack the machines by waving their smartphones to the reader to get them to disperse money. Hackers must find certain machines with security flaws to execute the hack and steal money.
Mitigating NFC Security Risks
Using NFC may introduce risks, but it doesn’t mean that people should avoid it entirely. Businesses and even DIYers can mitigate the risks of using NFC in different ways. Is NFC still vulnerable to hacks? Not completely, especially since there are ways to mitigate the risk and make NFC a safe and secure technology.
Update NFC Firmware and Software
NFC technology has come a long way, and many devices and applications have already been patched to remedy security issues. Once issues are disclosed, vendors typically develop and release updates to secure their devices. Regularly updating both the firmware and the software are key to beefing up NFC’s security to keep hackers from reusing certain hacks. Doing this manually through a dedicated IT staff or by the NFC tag user. Most vendors have already recognised the risk of using NFC and have become responsive with providing answers regarding possible security challenges.
Stop Unwanted Tracking
When out travelling, it's essential always to keep an eye on your bag since criminals can sneak an AirTag, or a similar NFC tag, in your bag to track you. Many people already don’t like it when they find out that certain tech companies are tracking them through spyware on their phones and computers, so why would you want some random guy to track you? Keeping an eye on your bag and pockets to keep people from dropping an AirTag in them can help avoid unwanted tracking. If you’re a business owner or a manager, you should inform your employees or team members that the AirTag is only meant to track their own belongings and that it’s a crime to track other people without their consent. Apple has already introduced updates to identify unwanted tracking to determine whether an unknown or unwanted AirTag is tracking a user. However, bad actors can make custom tags for their own purposes, so it's still important to practice due diligence when protecting yourself from unwanted trackers.
Configure Encryption Properly
Man-in-the-middle attacks are a legitimate concern, and the best way to secure a business's NFCs and devices is through properly-configured encryption. Data encryption is vital to protect data as it is transmitted, so bad actors will still need to decrypt the data before using it. Data encryption also protects against data tampering.
Avoid Sketchy Terminals
NFC is a convenient technology since people only need to tap on terminals to process transactions and exchange data. Hackers usually use their own readers to trick people into tapping there, allowing them to steal information. Keeping an eye out for dodgy terminals and looking for signs of tampering should be enough to stay on top of untrusted terminals and mitigate the risk of getting attacked. If an NFC terminal in a store seems sketchy, it’s best to look for alternative modes of payment to keep the NFC card secure.
Use NFC- and RFID-Blocking Storage Solutions
When using NFC cards and tags, it’s important to be able to store them in NFC- and RFID-blocking containers. NFC-blocking wallets are plentiful these days, and some bags like the LTT backpack have special compartments to block NFC, effectively mitigating the risk of bad actors getting close and tampering or corrupting the data.