The Security of NFC

0

Posted by Erik Vlugt on April 25, 2011

I love easy solutions to complex problems. Frozen yogurt is a simple solution to the complexities of ice-cream induced weight gain, and if that fails, I understand Spanx work wonders as well.

Along the same lines, I love NFC because it solves all security problems we face in payments…right? Wrong! Let’s break down the security issues we deal with on a daily basis and how, if at all, NFC addresses those.

  1. Card cloning
    No question that NFC solves this issue. Much like chip cards, the secure element on a phone is near-impossible to clone thanks to advanced security/encryption technology.
  2. Consumer authentication
    Definitely not solved. There is nothing fundamentally different about the way a consumer is linked to a phone versus a card. Possession is what counts. This means we need to somehow authenticate the consumer. We can’t have people buying $3,000 TVs with just the tap of a phone, and I sure hope we’re not going to fall back on ID checking for this purpose. A PIN is definitely the most convenient way to do this. For many people this fact is a reality check. We will still need to authenticate consumers above certain dollar amounts. I could see how that limit might be higher than the current common $25 or so for contactless cards. Another reality check: this PIN must be entered on a PCI PED/PTS compliant device. Protecting the wallet on the phone with some user access control is great, but for actual user authentication for payments, we must do proper PIN authentication on a proper PINpad.
  3. Data encryption
    Regardless of whether a transaction is processed as a contactless or EMV contactless transaction, card holder data still exists in the infrastructure as unencrypted data. This data could be sold and used maliciously in other environments. This means we still need use end-to-end encryption and tokenization to address this fundamental issue

NFC will bring us many advantages in a number of areas. Security is one of those areas, but that doesn’t mean there is no need for complementary security measures. We love simple solutions to complex problems. NFC is wonderful, but not a solution to all security issues that exist in the payments world.

Comments

Leave a Reply

Connect with:

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>