How secure is NFC tech?

smart card with nfc tag
With near-field communication technologies, you’ll see both software and hardware security features. Smart cards like this one have integrated protections that will foil a lot of would-be thieves.
Courtesy NFC Forum

In the near future, your technological world might be overtaken by near field. No, not the corn field that's across the road. We're talking about near-field communication (NFC), which gadget manufacturers, retailers and many other organizations hope will bring powerful new features to smartphones and much more.

NFC is a type of radio communication standard, much like Bluetooth, WiFi and other networking technologies. It's different in that it operates at very slow speeds and only at a short range of just a few centimeters. You can see our detailed rundown on it in How Near Field Communication Works.


NFC isn't a newfangled technology, but it's just now beginning to filter into mainstream products like smartphones. With an NFC chip and antenna, you can use your smartphone to make contactless payments at NFC retail terminals, parking meters, taxis and many other places.

What's more, with NFC, you can bump smartphones to exchange information with friends or business colleagues, or use your phone to read smart tags. Smart tags are tiny, read-only chips that can appear in informational posters and identification documents, such as corporate badges or passports.

You can even use NFC to connect to secure networks without having to enter complex authorization codes. For instance, you may be able to tap an NFC tablet to a wireless router and after the NFC chip confirms your identity, your tablet is cleared to connect to the much faster WiFi signal so that you can get to work.

Ultimately, NFC makes it a whole lot easier to perform a huge range of digitized tasks. But with that kind of power in such a tiny chip, is this technology really secure?

Many experts say NFC really is fundamentally secure by virtue of its extremely short range. In order to snag your NFC signal, a hacker would need to be very close to you. Uncomfortably close. In other words, you'd know they were there. And unless it was a very intimate friend of yours, you'd likely not be happy about it.

There's more to the physical aspects of NFC that make it troublesome for even determined hackers.


Time for Your NFC Physical

movie poster with embedded smart tag
The smart tag in this poster supposedly directs your phone to a Web site with more information about the movie. But hackers can meddle with tags, which then tell your phone to perform destructive activities.
Courtesy NXP

Security experts stress that NFC doesn't come loaded with built-in, hardware-driven security measures. NFC is just a platform for establishing communication between two devices. But NFC's short range, in a sense, serves as a safeguard against hackers. In order to grab an NFC signal from thin air (called eavesdropping), an attacker would have to accomplish a few critical things.

First, he'd have to be close enough. Many NFC applications work at such short range that you virtually have to touch a smartphone to an NFC device in order to establish the connection. So a hacker could hope to brush up against unsuspecting people on the subway and do his version of digital pickpocketing, right?


Well, the NFC functions on your phone only go into active mode when you want them to. For instance, the chip will activate when you check out at retail store using an NFC terminal. The chip isn't even working when your phone is in standby mode.

Even if a hacker was close enough to you at just the right moment, he'd still need some serious luck. NFC signals are extremely sensitive in terms of direction. So sensitive, in fact, that if you turn your phone just slightly, it won't be able to read a smart tag. For a hacker to illicitly grab your signal, he'd have to somehow maneuver a hacking device's antenna into precisely the right angle.

Hackers might have a much easier time pilfering data through other means. Thieves could use the longer range of WiFi and Bluetooth signals and hunt for those that careless people fail to protect with passwords or any kind of encryption whatsoever. Bolder criminals can simply peer over your shoulder while you type your PIN and then grab your phone on the street.

Yet the onus for security falls on every link in the chain of NFC transactions, from hardware and software makers, right down to the end user, who needs to make smart, tech-savvy choices. On the next page see how a few protections can shield your NFC activities from evildoers.


NFC Hacks are Wack

business people tapping phones together
I don’t know, he looks a little fishy to me. When you tap to exchange information via NFC, be sure the other person is trustworthy.
Courtesy NFC Forum

Just about anything digital can be hacked. All it takes is a savvy geek with a criminal streak. As you wade into the waters of NFC's capabilities, you'll want to be aware of the risks you're taking lest you wind up drowning in newfangled digital dangers.

One risk rests with smart tags. For example, a tag embedded in a promotional movie poster ostensibly directs you to a film trailer. But hackers can corrupt or reprogram tags for their own purposes by breaking the tag's encryption and then loading their malicious code in the memory. So instead of seeing a trailer, your phone surreptitiously sends personal information to an unknown device via text message or other communication service.


Privacy concerns are also valid. When you buy groceries at a store and want to use your NFC phone to claim your loyalty points, the store's system clearly has to identify you, likely making a record of when and what you purchased, for the purpose of targeting you later with ads designed for your preferences. Yet there are no guarantees that some stores won't find a way to sell your information to third-party businesses, which might pay a steep price for that kind of juicy data.

To keep your data safe, you can take a few precautions. Don't tap any tags that aren't somehow physically protected, perhaps behind glass or plastic; those that swing freely in public places are much more likely to be tampered with.

When you do tap a tag, carefully watch your phone to see what actions the tag prompts. Often, there are suspicious, tell-tale prompts that appear (much like aggravating pop-up browser screens on your computer) serving as warnings that something is awry.

Don't bump phones to exchange information with people you aren't sure you can trust. A smart hacker with a big smile can potentially use this opportunity to transfer spyware to your phone.

You'll be relying primarily on software developers to add layers of password protection and encryption to their products and applications. But to stay ahead of the game and make yourself a much harder target, you'll want to stay up to date on potential security issues, on sites such as NFC News and NFC World.

NFC has a lot of promise in terms of simplifying and unifying all sorts of technologies, from payments to network connection setups. But like all evolving digital magic, personal protection is paramount, so educating yourself on security alerts could save you a lot of NFC heartache.


Lots More Information

Related Articles

More Great Links

  • Cavoukian, Ann. "Mobile Near Field Communications (NFC) 'Tap 'n Go' Keep it Secure and Private." (Feb. 6, 2012)
  • Dolphie, Gordon. Director of Marketing at Intel. Personal Interview. Jan. 27, 2012. (Feb. 6, 2012)
  • Emligh, Jacqueline. "Smartphones are Turning into Wireless Wallets." Mar. 6, 2011. (Feb. 6, 2012)
  • European Network and Information Security Agency. "Top Ten Smartphone Risks." (Feb. 6, 2012)
  • Lishoy, Francis, et al. "Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones." 2011. (Feb. 6, 2012)
  • Meyn, Hauke. Senior Principal System Architect at NXP. Personal interview. Jan. 25, 2012.
  • Molen, Brad. "Engadget Primed: What is NFC and Why do We Care?" Jun. 10, 2011. (Feb. 6, 2012)
  • Mulliner, Collin. "Attacking NFC Mobile Phones." May 2008. (Feb. 6, 2012)
  • Planck, Seth. "Viaforensics Finds Google Wallet Security Vulnerability with a Rooted Android Phone." Dec. 14, 2011. (Feb. 6, 2012)