Blog article
See all stories »

NFC and digital wallets: magic has security risks

NFC devices provide users with another pair of wings to fly over daily routines, as they enable quick and easy contactless mobile payments and the use of e-tickets, mobile digital wallets, keycards, etc. instead of dealing with bulky stuff they substitute. The upsides are plain to see: wide availability, simplicity of use, platform versatility, seamless device communication, ability to handle cryptography and complex algorithms, etc. 

But what about the security risks, though? Let me give you an idea to engage with, especially for those considering launching an NFC digital wallet.

The magic of NFC security is better known as threat modelling.

NFC devices are nearly magic, but they can be tricked to perform an authorised action or extract sensitive data. More than that, security engineers witnessed lots of cases where NFC devices were used to breach the systems they were built to protect. They can be vulnerable to rather common attacks, like pre-play, replay, passive eavesdropping, cryptography exploits, and side-channel attacks. And the attackers can do their bad magic unnoticeable, as NFC devices are so tiny and cheap to test. 

Active replay attacks (sending the same information several times) on payments, for example, can be carried out just in broad daylight, as it is not difficult for an attacker to get really close to a victim in many locations. In the case of financial transactions involving private keys, when the mobile app and device use a communication protocol with encryption flaws, adding the buzzword "encrypted" to the app marketing description will not secure funds. (For more examples of bad scenarios, you can google about exploring security vulnerabilities in NFC wallets). 

This does not mean you should stop believing in the technological magic of NFC or avoid it. With proper preparation—threat modelling, security architecture, secure implementation, and plenty of testing—you can reduce the chances of successful exploits. 

My personal recommendation, based on experience, is to assess NFC card vendors and their communication protocols before adding their products to your digital wallet (or any other app). 

Take your time to comprehend what risks and threats their peculiarities can bring and then let your security engineering team build a proper defence, layer by layer.

a member-uploaded image

Comments: (0)

Pavlo Farb

Pavlo Farb

Security Engineer

Cossack Labs

Member since

11 Jun 2021



Blog posts


This post is from a series of posts in the group:

Digital Banking

How mobile banking can unlock real financial progress

See all

Now hiring