Hackernoon logoThe Vulnerabilities of NFC Payments Need to be Addressed by@reputio

The Vulnerabilities of NFC Payments Need to be Addressed

In-store mobile payments grew 29% in 2020, with Gen Zers expected to be 4 million of the 6.5 million new mobile wallet users during 2021-2025. NFC is based on Radio Frequency Identification (RFID) technology, that identifies objects or people. U.S. is now the world’s second-largest market of mobile wallets with $465.1 billion worth of mobile payment transactions, with expectations of increasing to $698 billion in 2023. Even as NFC technology appears to be so easy and convenient, it is not without its vulnerabilities.
image
Reputio Hacker Noon profile picture

@reputioReputio

Covering disruptive stories

The pandemic of 2020 irreversibly changed the world in significant ways. But what did not change was the millennial and Gen Z commitment to following rules. As American academic Michael Porter said, “Millennials are more aware of society’s many challenges than previous generations… They are looking for a broader social purpose…”

Especially Gen Z was aware of the seriousness of the pandemic, and looked for viable alternatives to live their lives safely. Among these choices was the use of contactless mobile payments, instead of cash or credit cards. As market analyst firm eMarketer reported, in-store mobile payments grew 29% in 2020, with Gen Zers expected to be 4 million of the 6.5 million new mobile wallet users during 2021-2025. This trend appears to be habit-breaking, considering the hefty $143 billion a year purchasing power of Gen Z. Added to this, Gen Z does not trust the conventional systems after the financial disasters their parents went through, and so, fewer of them own credit cards, anyway.

Moreover, although the U.S. took time to fully engage with mobile payment technologies because of delays by retail stores, finance and investment company Finaria says the U.S. is now the world’s second-largest market of mobile wallet users with $465.1 billion worth of mobile payment transactions, with expectations of increasing to $698 billion in 2023. From a global perspective, mobile wallet payments are expected to grow 24% from 2020, to 2.4 trillion in 2021, and to 3.5 trillion by 2023.

As it happens, these mobile wallet transactions or contactless payments entail making secure payments from electronic devices like phones, computers or tablets, using radio frequency identification or biometrics.

Popularly used in banks, ATMs, restaurants, and for other transactions, these interactions fall into the Near-Field Communication (NFC) mainstream wireless technology, based on the principle of sending information over radio waves.

Described as a set of communication protocols enabling short-range communication between two electronic devices about 4 centimeters or 1 ½ inches apart, NFC is based on Radio Frequency Identification (RFID) technology, that identifies objects or people. RFID is believed to have originated during World War II; however, the official inventor of RFID technology is accepted as British inventor Charles Walton, who patented the technology in 1973 and 1983.

As it so happens, Walton’s RFID technology transmitted short-range radio waves, employing a database on a computer. The wireless connection initiated by the minute electrical current from the RFID reader enables sending and receiving data. In fact, it is said that the real major competition RFID technology has, even today, are the cheap barcodes scanned on store merchandise.

Furthermore, both active and passive devices can send and receive data, with smartphones being the commonest form of an active NFC device. According to NFC communication protocols, there are three clear ways to handle transactions, the commonest in smartphones being the peer-to-peer mode, which is two-way communication, active when sending data and passive when receiving.

The second way, the read/write mode, is one-way data transmission, with the active device usually being the customer’s smartphone.  The third way is card imitation, where the NFC device functions as a contactless credit card to make payments, get cash from an ATM or tap into public transport systems.

Even as the technology appears to be so easy and convenient, it is not without its vulnerabilities, especially in regard to security. In fact, Josep Rodriguez, researcher and consultant at Seattle-based security firm, IOActive, having deeply researched NFC technology, discovered that an NFC smartphone could hack an ATM simply by waving the handset. He posted a video to show how the hacking method works. He waved his NFC smartphone over an ATM NFC reader in Madrid, Spain, and immediately, the ATM displayed an error message.

As Rodriguez reported, his hacking attempt only required an NFC device – a smartphone – and a special Android app he developed. What is more, his Android app permits his smartphone to imitate credit card radio communications and use, to advantage, the flaws in the NFC systems' firmware.

For instance, he could wave his phone and corrupt point-of-sale equipment through a variety of bugs, then hack them to collect and transmit credit card data, change transaction values without being detected, and even freeze the equipment as ransomware messages are displayed. As Rodriguez said, “You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you're paying 50 dollars.”

Furthermore, Rodriguez found one of the weaknesses of the NFC technology used is that many of the devices do not validate the size of the information they receive. This means that a malicious entity can overwhelm the system with too much data and then corrupt its memory in a “buffer overflow” attack.

Rodriguez identified another problem in that companies are generally slow to update the hundreds of thousands of machines used across the world. For instance, a machine has to be physically visited to install an update, and with logistical issues, many NFC machines are not regularly updated.

With such obvious issues not being well-addressed, Rodriquez warns that NFC readers in modern ATMs and point-of-sale systems are open to attacks. He is now trying to inform relevant companies that poor security measures in embedded devices could lead to hackers taking advantage of obvious vulnerabilities. It is an echo of American inventor Thomas A. Edison’s words, “There is a way to do it better. Find it.”

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.