How secure is NFC in 2024?
Recently we've heard about a hack that could allow a person to unlock 3 million hotel room doors in 161 countries around the world by using an Android phone. The door locks, susceptible to the hack, are locked using RFID, a radio wave tech.
RFID and NFC have lots in common, though. The revealed hack has us questioning NFC - which is present on almost all modern phones. Is it secure? Let's explore.
In the hack we mentioned earlier, the hacker could take advantage of the RFID (Radio Frequency Identification) system that was used to lock and unlock a hotel room. RFID is basically tech that uses radio waves to relay identifying information from an electronic tag in an object to an electronic reader.
Without delving too much into the sophisticated physics details of how these work, here's the basic difference between the two technologies. First off, RFID works at longer distances (up to 100 meters), while for NFC, you need to be close to the other device (a few centimeters, or up to 4 inches).
Additionally, RFID offers one-way communication: you need a device for a reader and another device for a tag, while NFC's way of doing this is two-way - a device can be both a reader and a tag. Also, RFID tags can be read quickly in batches while a single NFC tag can be scanned at one time.
NFC has become an integral part of our lives nowadays. Mainly it's used to make paying with a mobile wallet possible. Technically, with an NFC-enabled phone (which are most modern phones) you can pay using the phone instead of with your card or by cash. That eliminates the need to carry all your bank cards with you everywhere.
Here are the benefits of NFC:
Let's address the last point a bit more. Given the fact that NFC works at near distances only, this eliminates the possibility of a hacker on the other side of the city (or in the next building, or across the room even) to eavesdrop on the information exchanged between the NFC-enabled devices.
This means that the hacker needs to stand just right next to you and your NFC-enabled device - we're talking about less than 4 inches away - to be able to eavesdrop. Well, they are technically in your face so it's hard to call that "eavesdropping".
In fact, NFC payments are more secure than your traditional payment with a card, believe it or not. The card can get stolen and it's protected by just a 4-digit PIN. If the thief knows your PIN, he can go on a shopping spree (given you have that money!).
However, if your NFC phone gets stolen, it is more difficult for the thief to access it and therefore, more difficult to shop with money they didn't earn. Also, any unusual activity with a payment app could prompt your card's security measures to kick in (and payment can be blocked until you're authenticated).
The short answer - no, not really. As you can see, attacks using NFC are typically hard to deploy and are associated with a high level of risk for the malicious user. So, all in all, NFC is as secure as... well, things can get. It is always possible that you can get hit by lightning, but it's unlikely, isn't it?
RFID and NFC have lots in common, though. The revealed hack has us questioning NFC - which is present on almost all modern phones. Is it secure? Let's explore.
NFC and RFID: differences
In the hack we mentioned earlier, the hacker could take advantage of the RFID (Radio Frequency Identification) system that was used to lock and unlock a hotel room. RFID is basically tech that uses radio waves to relay identifying information from an electronic tag in an object to an electronic reader.
On the other hand, NFC, or near-field communication, is a tech that's an evolved version of RFID, more or less. It allows enabled devices to share data between themselves. It's currently used in contactless payments via phones, for example.
NFC makes paying with your phone possible, easy and quick
Without delving too much into the sophisticated physics details of how these work, here's the basic difference between the two technologies. First off, RFID works at longer distances (up to 100 meters), while for NFC, you need to be close to the other device (a few centimeters, or up to 4 inches).
The benefits of NFC
NFC has become an integral part of our lives nowadays. Mainly it's used to make paying with a mobile wallet possible. Technically, with an NFC-enabled phone (which are most modern phones) you can pay using the phone instead of with your card or by cash. That eliminates the need to carry all your bank cards with you everywhere.
Also, NFC is used for information and data sharing, in-store check-ins, and even scanning a QR code on documents for additional product information.
Here are the benefits of NFC:
- Easy to use and convenience - pay with your smartphone quickly and easily, without the need to carry a physical wallet
- Efficiency - faster payment transactions mean less time wasted waiting in queue in a supermarket, for example
- Security
Let's address the last point a bit more. Given the fact that NFC works at near distances only, this eliminates the possibility of a hacker on the other side of the city (or in the next building, or across the room even) to eavesdrop on the information exchanged between the NFC-enabled devices.
On top of that, NFC features protections like tokenization of private and personally identifying data (replacing sensitive information with an anonymous number called a token).
NFC gets even more secure with your phone's biometric and other protections
Also, NFC gets even more secure with your phone's protection. As you know, phones are equipped with biometrics and password protections for further security.
In fact, NFC payments are more secure than your traditional payment with a card, believe it or not. The card can get stolen and it's protected by just a 4-digit PIN. If the thief knows your PIN, he can go on a shopping spree (given you have that money!).
NFC disadvantages: what are the possible NFC weak points?
As with anything in the world, NFC does have weaknesses. Here are the possible hacks that can be done with NFC.
- Data tampering
A hacker could gain access to an NFC payment terminal and might be able to reprogram it to send or request data that it shouldn't. Proper securing of the NFC device and network makes this risk very low.
- Eavesdropping
As I already mentioned, the hacker needs to be close (very close) to the NFC device. So it's very hard (well, maybe impossible) for the hacker to get that close without anyone noticing. Even if they obtain data though, the data is highly likely to be encrypted and thus, of little use for them.
- Skimming
Almost the same as eavesdropping, but in this case, someone with an NFC device gets close to your phone and triggers a transaction. However, the same issue is present here as with eavesdropping - the required proximity of the hacker to you. If this happens on the street, for example, the hacker would need to know where the phone is (is it in your bag, your jacket?..)
- Malware installation
In 2019, an Android vulnerability showed that someone can use NFC to prompt an Android device to download an application (if the user has NFC). However, the user still had to confirm the download. The bug has since been patched. This comes to show though that NFC could theoretically be used to trigger downloads.
- NFC spoofing
A hacker could potentially clone an NFC key. This requires that the hacker has temporary access to a security key to clone it.
- Social engineering
So, do you need to toggle NFC off?
The short answer - no, not really. As you can see, attacks using NFC are typically hard to deploy and are associated with a high level of risk for the malicious user. So, all in all, NFC is as secure as... well, things can get. It is always possible that you can get hit by lightning, but it's unlikely, isn't it?
The only advice I can give if you're suspicious about NFC is the following: always be aware of your surroundings when using it, and avoid using it if the place where you are seems sketchy.
Here's one example to beware of. There's a somewhat common scam where malicious users will stick RFID stickers to commonly used places (like tables in restaurants, night tables in hotels, charging stations). Those stickers prompt an NFC interaction, and if you don't pay attention and approve it, you may get an unwanted download or data transfer.
So, if you see a random NFC prompt when you have placed your phone somewhere, stop NFC and look around. If you find an innocent-looking sticker, be sure to report it (to the authorities, or the people in the restaurant).
But apart from that: rest assured. NFC is an evolved technology over RFID and therefore, way more secure than its predecessor.
Things that are NOT allowed: