The suprising security model for NFC payments

One of my new years resolutions was to learn more about NFC security. Not because I disagree completely with people saying it is over-hyped but since Chip and pin was added to credit and debit cards, NFC is one of the most interesting innovations in payments, at least in the west (Japan has been using NFC for years). NFC presents some really interesting security challenges so I have been reading a lot of research papers and buying coffee for a number of experts. What I have discovered so far really surprised me.

I approached NFC asking the standard questions (insert hammer and nail joke here). How is authentication and authorisation performed, how is sensitive data protected in transit and in storage, what logging is available and how are configuration stores protected? What I have been finding is that the security model really does not have many of these features at all especially on the client side (i.e. the NFC device such as the Samsung Galaxy S). Speed is the primary emphasis, the main benefit of the technology seen as enabling people just to touch and go even on a Roller coaster. The trade-off for this is in security. So when an NFC device connects to a reader there is no authentication, no authorisation and no encryption of information in transit. That's why you see attacks like this and this being possible.

The NFC device contains a secure element (SE) on a phone this would be usually on the SIM, in-built chip in phone or Micro SD.  The SE's are manufactured to the same standards and certifications as the chip in chip and pin credit and debit cards, often by the same manufacturer. The SE is the only component of an NFC solution that will undergo any evaluation against security requirements and accreditation. The card number (PAN), card holder name, expiry, card security code (CVV2) is loaded into this and can only be read by the authorised application on the phone. However when transmitting this information it is sent in the clear and can be intercepted if you are in range. There is the capability for a challenge response mechanism (similar to chip and pin where the user would enter a pin to pay) and for the NFC application to communicate with a mobile gateway for out of band authorisation via a one time CVV2; but these features, at least currently, are rarely used.

Instead all of the security is essentially server side, which is actually pretty smart. Issuers have set limits on NFC transactions e.g £10 so the maximum fraud potential is contained. They know which PAN's are allocated to NFC capable cards / devices, and even on contactless cards the PAN transmitted for the NFC transaction can be different to what is shown on the card. So if an NFC PAN shows up in a card not present transaction e.g. buying something online or even in a non NFC point of sale the Issuer can reject it. The other protections for cards currently are also in place, even obtaining all the card details from an NFC device most issuers now require address validation and 3D secure for card not present transactions. There are some merchants that will not implement these and not even ask for the CVV2 but this is usually a business decision to accept liability for any fraud to get increased sales and a better customer experience. All the normal fraud checks such as checking or stolen card lists, real time risk scoring based on transaction velocity, history, location also apply to NFC payments.

So overall the systems are fairly well designed and while there will no doubt be plenty of FUD whenever a researcher "hacks" NFC payments, holistically the systems in place provide a good balance of convenience and fraud risk.

I am just starting to learn about this technology and the above was fairly high level. If I have made any errors or my interpretations of various documents and conversations have not been accurate feel free to comment. I'm always happy to learn.

Some good research papers on NFC security if you are interested in reading further:
Security in Near Field Communications
Proximity mobile payments: leveraging NFC
Practical experiences with NFC security on mobile phones
Mobile payments in the United States at retail point of sale

Related posts:
Native apps vs mobile apps
Beating crackberry: if Google and Apple were serious about enterprise mobile
Privacy in the age of augmented humanity

Like this post? Get updates via RSS or follow me on Twitter @rakkhis

PS: first blog post created entirely my new iPad :) it's awesome
Photo credit Flikr Robert van der Steeg

No comments:

Post a Comment


Written by