Is NFC payment secure and how to set it up?

When buying a brand new phone or tablet, the user, as a rule, receives a device that supports NFC, but often without even realizing what advantages this technology provides. It is useful to know if NFC payment is secure and how to set it up so that you can pay for purchases contactlessly.

What is NFC?

This is a technology for transferring information over short distances, combining a reader and a smart card into one device. The latter is a plastic card with an RFID type mark, thanks to which people pass through office turnstiles and open access doors.Tickets in the capital's public transport or a bank card with contactless payment is a smart card.

A microchip is installed in it, which, at the moment of touching the reading device (office turnstile or automatic machine of some institution), exchanges information in a matter of seconds. Simply put, it transmits data about its owner to the security system or makes it possible to withdraw a specific amount of funds.

This microchip is called the Secure Element and is integrated into the phone by the manufacturer or placed on SD media or a SIM card. The NFS unit, for its part, is installed exclusively at the manufacturer's plant and plays the role of a controller option. Simply put, he administers this module.

How does NFC work?

Attaching a smartphone to the machine to pay for goods is much more comfortable when compared with carrying a couple of credit cards in your pocket.

The technology of NFC (Near Field Communication or Short Distance Communication) is based on the interconnection of 2 coils of the electromagnetic type, one of which is located in the smartphone, and the other, respectively, in the machine. To start the relationship, both devices must be located at a distance of no more than 5 cm from each other.

How to enable NFC? How to find out if there is a module on a smartphone?

Everything is pretty easy. To understand if there is an NFC module on the user's Android phone or tablet and activate it, the user needs to go to "Configuration" - "Wireless Communications" - "NFC".

If the user does not have this value in the menu, then NFC is not available in his smartphone.

Method 1. Android credit card

If the user has a bad habit everywhere and constantly forgets his own credit card, then in this situation, if his gadget is equipped with an NFC module, he is given the opportunity to make his own phone a real credit card. This is done as follows:

• First, you need a credit card that supports paypass technology;
• It is necessary to install on the smartphone the program (client) of the user bank in which the card was made;
• Open the installed program, find the option that is responsible for NFC, and select it. After that, you need to put a credit card to the back of the phone or tablet so that it is considered;
• Following a successful reading, the user will be sent a password consisting of 4 numbers via SMS, which should be saved. This PIN will need to be entered when the user makes a payment using a phone or tablet.

The developers of the module claim that its use is safe because:

1. The user must always, before buying something, enter the PIN code.
2. The operating range of the NFC microprocessor is only 10 cm (even less in reality).

Method 2: NFC tags

A typical situation: a person woke up, ate breakfast, looked at the stock in the refrigerator and opened the “Buy a Baton” or “Google Keep” program to add what needs to be bought to the list. After that, he leaves the apartment and turns on the mobile network, gets into the car and activates the GPS, Bluetooth, in order to safely get to the place of work. There, he switches the smartphone to vibrate mode and opens Evernote.

Today, all these actions can be carried out not mechanically, but automatically thanks to NFC tags.

What is needed for this:

1. Install the NFC ReTAG program.
2. Find NFC tags or, if the user has contactless metro or public transport payment cards, or maybe long-forgotten or unused bank cards that support Pay Pass.
3. Open NFC ReTAG, scan a card or tag, add it and name it whatever the user wants.
4. After that, you need to select the action that will be carried out on the smartphone when the user attaches it to the label, and press the "Action" key.
5. Create an action, for example, launch the "Buy a Baton" program.

After the user has created an action, you can attach a card or tag to the refrigerator (or put it next to it). From now on, every time the user enters the kitchen, he is given the opportunity to instantly launch the "Buy a Baton" program and save a reminder with a list of mandatory purchases.

Example! When a person gets into the car, there is a mark in it, scanning which automatically activates GPS and opens Bluetooth.

How to do?

1. It is necessary to scan a card or a label, name it.
2. Designate an action - launch the GPS program, and also open Bluetooth wireless information transmission.

Advice! It is best to leave the tag in the car so that you do not forget to scan it every time you get into the car.

If the smartphone has Root rights, then this will also increase the possibility of using NFC tags and a person will have more “chips” to automate the processes of a phone or tablet.

Method 3. Android Beam

This is a data transmission method (similar to Bluetooth) using the NFC microprocessor. It is important to remember that the data exchange rate using Android Beam is very low, and therefore it would be advisable to use it only for transferring a small amount of text or links.

For this you need:

• Press the "Expand" key;
• Bring both devices to each other;
• When the image on the display of the transmitting device becomes smaller, click on it to start the transmission.

Method 4: NFC ring or bracelet

A smart bracelet or ring with an NFC option is an innovative project of developers from China, which is suitable for phones running on various operating systems. The bracelet can be chosen for any hand size (a similar situation with the ring). The weight of the device is very small, but the main thing is that it fully supports NFC technology.

The role of the chip, for example, in the Band 3 BFC device, is played by a specialized chipset. With the help of the latest, the smart bracelet helps the phone to transmit information via a contactless type channel, thus maintaining high security. Information on the device can be rewritten an unlimited number of times.

The bracelet stores payment information, records and other personal data. Viewing the information is not difficult - just put the bracelet on the phone display. In a matter of seconds, it will establish a connection with the smartphone and disable the display lock, and will also play the role of a hot key. For example, while bringing the bracelet to the phone, the camera, network or social network program is activated at the same moment.

Other options

NFC modules are found on labels in stores or in museums on information plates, during the scanning of which the user will be taken to a site with full data about the product or rack.

NFC security

It makes no sense for users who use contactless cards for a long time to talk about what NFC technology is. This payment method is safer than the usual method of activating a PIN card in a machine, because no one sees the code. Even if the phone is stolen, the thief will not be able to withdraw more than a thousand rubles from the card due to global limits on limiting amounts in contactless transactions.

There are reports in some media that hackers created terminals, which are used in crowded places, secretly stealing funds. But this is only real when the phone is unlocked.

Recommendation! If the attacker nevertheless managed to withdraw the funds illegally, then the account holder always has the opportunity to go to a banking institution and contact them with a request to track the movement of money. The hacker's balance will be instantly found and the funds will be returned to the owner if the kidnapper has not yet spent them.

Myths and research on NFC security

In order to thoroughly understand everything, below are all kinds of myths, rumors and real situations related to the security of NFC technology.

Distance

Contactless cards are used to transfer information NFC technology, a subcategory of RFID. On the credit card there is a processor and an antenna that respond to the request of the settlement terminal at a radio frequency of 13.56 MHz. Different payment systems use their own standards, such as Visa Pay Wave or MasterCard Pay Pass. But they are all based on almost the same principle.

The distance of information transfer using NFC varies within a few cm. In this regard, the first step of security is physical. The reader, in fact, must be brought close to the credit card, which is quite difficult to do discreetly.

However, it is possible to create an extraordinary reader that works over a long distance. For example, scientists from the University of Surrey in Britain showed the technology of reading NFC information at a distance of about 80 cm thanks to a practical scanner.

This gadget is really capable of secretly "interrogating" contactless cards in minibuses, malls, airports and other public places. Fortunately, in many states, the proper credit cards are already in the purse of every second person.

Nevertheless, it is possible to go much further and do without a scanner and personal presence. Another unusual solution to the range problem was presented by hackers from Spain. R. Rodriguez and H. Villa who presented the lecture at the Hack In The Box meeting.

Most of the new Android phones are equipped with NFC.At the same time, gadgets are often located in close proximity to a purse - for example, in one backpack. Villa and Rodriguez developed the concept of a Trojan (virus) on Android that turns the victim's phone into a kind of NFC signal repeater.

At the moment when an infected smartphone is near a contactless credit card, it transmits a signal to hackers via the network about the reach of the operation. Attackers launch an ordinary payment terminal and attach their own NFC phone to it. Therefore, a bridge is “built” using a network between the terminal and the NFC card, which can be located at any distance from each other.

The virus is able to be transmitted in the usual way, for example, when bundled with a "hacked" paid program. All you need is Android OS version 4.4 or later. Root rights are not required, however, they are recommended so that the virus can function even after the device's screen is locked.

Cryptography

Of course, approaching the map is 50% success. Following this, it is necessary to break a much more powerful barrier, which is based on cryptography.

Contactless transactions are protected by the same EMV standard as processor cards. Compared to the track of the magnet, which can actually be copied, such a move will not work with the processor. At the request of the terminal, the chip generates a one-time key each time. It is possible to intercept such a key, but it will no longer be suitable for a subsequent operation.

Security scientists have repeatedly doubted the security of EMV, but to this day no workable ways to bypass the protection have been found.

There is, by the way, one nuance.In the usual implementation, the security of processor cards is based on a combination of crypto keys and a person entering a PIN code. In the process of contactless transactions, a PIN code is most often not needed, so only the crypto keys of the card processor and terminal remain.

Purchase amount

There is another level of security - the limit limit for contactless transactions. This limitation in the configuration of the terminal equipment is set by the acquirer (bank), which is guided by the advice of payment systems. In the Russian Federation, the maximum payment amount is one thousand rubles, and in America the threshold is $ 25.

A payment for a large amount will be refused or the machine will begin to require auxiliary identification (signature or PIN code), it all depends on the configuration of the acquirer - card issuer. During attempts to alternately withdraw a couple of amounts less than the limit, the auxiliary security system should also be activated.

But even here there is a specificity. Another group of Newcastle University scientists from Britain said almost a year earlier that they had found a loophole in the security of contactless transactions of the Visa payment system.

If you request a payment not in pounds sterling, but in another foreign currency, then the limit on the amount is not included. And if the terminal is not connected to the World Wide Web, then the maximum amount of a hacker operation can reach one million euros.

Employees of the Visa payment system denied the implementation of such a hack in practice, saying that the operation would be denied by the bank's security systems. If you believe the words of Taratorin from Raiffeisenbank, then the terminal controls the threshold amount of the payment, regardless of the currency in which it was carried out.

Conclusion

In conclusion, it is worth noting that the technology of contactless payments is, in fact, closed by excellent multi-stage protection, but this does not mean at all that user funds are safe with it. Too much in the cards of banking institutions is interconnected with very “old” technologies (magnet strip, network payment without auxiliary verification, etc.)

In addition, much lies in the attentiveness of the configuration of certain financial institutions and outlets. It is worth noting that the latter, in the race for quick purchases and a small percentage of “abandoned carts”, very much neglect the security of transactions.