Skip links

To tap or not to tap: Are NFC payments safer?

Magnetic stripe cards were all the rage 20 or so years ago, but their security was fragile, and the requirement for signatures often added to the hassle of transactions – not to mention, they lacked data encryption, making them vulnerable to skimming and cloning by criminals. 

Chip-based cards emerged as a successor, offering enhanced security through data encryption. These cards required insertion into payment terminals (POS) and authentication with a PIN, marking a shift toward more secure transaction methods. From a security standpoint, chip-based cards were a clear advancement, as they required authentication and offered enhanced on-card security due to encryption. Nonetheless, these cards were still susceptible to cloning or information theft, though perpetrating such crimes was more challenging than with magnetic stripe cards.

The NFC standard

Near-field communication, or NFC, evolving from radio frequency identification (RFID), emerged as a new payment standard in the latter half of the 2010s. With this technology, the original chip-based cards have become even more useful, as instead of having to insert them into payment terminals and ATMs, all it takes is a tap onto an NFC-enabled payment device to transfer money.

What can be a payment device? Apart from contactless cards, phones can now also serve this function through services such as Apple Pay or Google Pay, which, after uploading your card details into the service, enable you to use your phone for payments.

Iphone and a card held close to each other in a hand

Both cards and phones can serve as payment methods through NFC technology.
(Source: Shutterstock)

The process through which NFC payment works operates quite similarly to Bluetooth or other wireless communication systems, utilizing radio waves to activate and verify the information being transmitted. This data is then decoded by an antenna. Specifically, in the case of a payment, the terminal receives information from the phone, which it then processes and approves to facilitate the transaction.

Due to NFC’s very short range, it’s not useful for large data transfers. Unlike Wi-Fi or Bluetooth, it is slower and requires the two communicating devices to be in close proximity. This bears some resemblance to the infrared file transfers of the past, which worked similarly but were much less convenient and worked only half the time: You had to be very precise with how you placed your phones, and the sensors had to almost touch (here’s an old manual showcasing the function).

How secure is NFC?

Given that its primary application is facilitating contactless transactions, one might assume that it must be entirely secure, right?
It is, kind of. Compared to other methods of wireless communication, it is much harder to intercept due to the close proximity required for it to work, but that does not mean that it is imperceptible to some forms of cyberattacks.

One of the most common attack methods when it comes to wireless communication is man-in-the-middle (MITM) attacks. For them to work, there needs to be some tool (equipment, fake website, emails) intercepting communication between two devices/users, which then decrypts and relays the required data to the attacker. This is one of the reasons using public Wi-Fi is so dangerous; it does not take a lot to set up a fake hotspot with the same name as a business/city location, and since people do want to use them, a criminal can easily compromise communication coming from devices using those hotspots.

Do MITM attacks apply to NFC? Sort of. While it technically exists as a threat, it’s just not that viable, because of several reasons. Firstly, to “skim” NFC communication, a reader has to get quite close to the card/phone in order to read off the required data. Secondly, the hacker needs to have some special tool to do that as well. Honestly, it would be much easier just to outright steal your phone/card.

Potentially, payment terminals can be compromised. However, as opposed to regular card skimming, NFC communication is encrypted and tokenized – meaning that a card can hardly be duplicated thanks to its information being hidden.
However, do not assume that an opportunist would still not try to “bump” into you in order to obtain card details, and since wireless car key attacks also exist (which use similar RFID technology to work as NFC), credit cards and phones are still in danger.

Security should not be taken for granted

While it is true that NFC technology is more secure, especially when it comes to making payments, it doesn’t mean that it is infallible, as malicious actors can easily exploit certain vulnerabilities to get what they want.

For example, a researcher in 2021 demonstrated an attack in which he used an Android app to simply “wave” at NFC-enabled ATMs to compromise them. This was possible due to certain software bugs in those machines, which can very well be a reality for other forms of payment terminals as well.

System flaws and security holes will always exist, which is why even cyber insurance providers often underline vulnerability patching as a requirement for coverage.

What’s more, since NFC payments are inherently built based on the aspect of convenience, there is a lack of additional authentication (like a PIN) that a regular chip-based card would require, for example. So, If someone does steal your credit card, they can easily make fraudulent payments without them needing to input a code (up to a certain value), and depending on your set payment limits, the sums can be quite high.

Phone payments – are they more secure?

As mentioned before, NFC capabilities are also present on phones. But are they more secure? Since Apple Pay, Google Pay, and others require added security in the form of a PIN, fingerprint, face scan, or something else you might have available on your phone, there is indeed some added security. Also, both payment services only work when enabled, so there is less of a chance of someone just leisurely initiating a payment from you. Plus, using Apple or Google Pay does not transmit your account details, and, in case you lose your device, it is quite easy to remotely disable these services.

Iphone with Apple Pay open trying to pay on an NFC payment terminal
Services like Apple Pay require additional biometric verification to conduct payments.
(Credit: Christiann Koepke on Unsplash)

Likewise, while smartwatches are great in many ways, enabling payments through them might be problematic, primarily due to the lack of additional authentication beyond a short PIN required to unlock the watch. The assumption is that the watch being on the owner’s wrist serves as a form of authentication. However, considering that watches can be stolen and are often protected by just a four-digit PIN, this may not always be a sufficiently secure method for transactions.

How to make your contactless payments more secure

To end this article on a more positive note, there are ways you can make your contactless payments more secure. Here’s how:

  • Try RFID blockers – These are small cards or wallets that create a barrier between your card and the outside world, mitigating potential skimming attacks.
  • Set up low payment limits – This can be done through your bank or their software, wherein you can set a maximum limit on how much you can purchase through contactless payments.
  • Use phone payments – Even though these apps can have their flaws, they are still a bit more secure than contactless cards, thanks to additional authentication requirements.
  • Use cash – This probably doesn’t need an explanation. However, you may worry about carrying large amounts of money in your wallet, which can also be stolen.
  • Skip smartwatches – Due to lower security, enabling payments on smartwatches might pose potential problems.
  • Get a travel card – If you’re worried about the express payments angle, get a top-up travel card, if possible, instead of using your own credit card/phone as a means of paying for tickets.

And these are just some methods you can employ to have more secure payments. Of course, no security solution can give you a 100% guarantee, but even small, simple steps can go a long way toward making you less likely to experience misfortune.

Before you go: Mobile payment apps: How to stay safe when paying with your phone

Source