Thwarting NFC virtual pickpockets

Aug. 24, 2015
NFC and RFID offer great opportunities, but companies must be aware of their security shortcomings

It’s the end of a long week in New York. A weary securities industry executive is riding the elevator down from the 57th floor to head home, her purse slung over her shoulder. On the 54th floor, another woman boards an elevator. As the car fills at subsequent stops, the women are crowded together. When their purses touch, the executive has no idea the corporate identity badge she uses to access her office is being hacked, although it’s never left her handbag. Later that weekend, the woman from the 54th floor gains access to the 57th floor simply by using her phone with the stolen credentials at the entryway card reader.

It’s a scenario frightening for both its simplicity and tenacity.

More and more people use wireless communication devices such as mobile phones, biometric passports and credit cards with radio antennas for transactions including identification and payments. The transactions are powered by near-field communications (NFC), and the NFC standards are tasked with keeping it all secure.  However, reported problems and hacks of this popular technology are more frequent than anyone cares to admit, leaving many users being "virtually pick pocketed."

What is NFC/RFID?

NFC is the set of standards for wireless point-to-point communication between two devices. To work, devices must be in close proximity, typically within 10 cm, or roughly 4 inches. The NFC standard covers several communication protocols, and is based on existing RFID (radio-frequency identification) standards. The specification details of NFC can be found in ISO 18092.

While NFC protocol offers lots of protection, its weak spot is devices in close proximity since the protocol assumes that two NFC-capable devices within the same wireless range constitute a valid connection and make data transfer possible.

NFC operates in either active or passive mode. The mode is determined by whether a device creates its own radio frequency field or if the device obtains power from the radio frequency field generated by the device with which it is communicating.

Devices that generate their own fields are called active devices; these devices always have a power source. Sample active devices include point-of-sale (POS) terminals, door locks and mobile phones.

In contrast, passive devices – those that do not generate their own electrical fields -- typically lack a power source. Passive devices are things such as contactless smart cards, key fobs and tracking tags.

NFC communication involves communications between two devices (not broadcasting messages); at least one of the two devices must be an active device. Further, only active devices can initiate the communication.

Uses of NFC

The NFC communication standard simply specifies an interface. Today, with so many devices supporting NFC communications, it can be used for almost anything. We’ll be looking at two: payments and physical access control.

Payments

One NFC application currently attracting lots of attention is payments. In fact, Apple is now following Google’s lead (see  Android Pay) by adding support for NFC payments on its popular iPhone 6 mobile device and launching Apple Pay (now available in the US and the UK). From the security perspective, payment applications are quite interesting as the reward for a potential hacker is obvious: money.

Physical Access Control

Another interesting application for NFC is physical access control, meaning using passive or active NFC/RFID devices to open doors. For enterprise and government markets, this is not a new use case. After all, many workers have used key fobs to access their workplaces for decades. Today, however, NFC also is gaining popularity for use on locks on private residences and vehicles. The physical key can then be replaced with a mobile phone app used by the homeowner (or anyone to whom he or she designates access).

Other applications include tracking shipments, pairing digital equipment, ticketing, rewards programs, logical access control and more. 

Potential Threats

With payments, the primary threat is that an attacker could perform unauthorized payment transactions.

The simple remedy is requiring the payment schema to have some sort of approval by the account holder (not all payment methods today require that crucial extra step).

In an interesting demonstration of hacking earlier this year, a former U.S. Navy petty officer and now engineer at APA Wireless named Seth Wahle demonstrated how by implanting an NFC chip under the skin on his hand, he was able to hack into Android devices as he held them.

Another concern with payments is the possibility an account holder-initiated transaction results in an unwanted outcome. An example would be when a user accesses what he believes is a legitimate payment terminal but is instead a malicious relaying device. At “Hack in the Box 2015” in Amsterdam, presenters José Vila and Ricardo J. Rodriguez presented a demo of this in their presentation, “Relay Attacks in EMV Contactless Cards with Android OTS Devices.”

An example is when a hacker grabs the cardholder’s account information simply by standing next to the account holder in a crowded area with an RFID card reader; as the card is relaying its information to the legitimate card reader, the scammer is grabbing the same data. Users want the convenience of paying by waving a card or a fob over a reader, but it can come with a price. RFID card readers are easy to come by and inexpensive and open-source software makes the data theft even easier.

And while the requirement for close proximity helps stave off some hackers, the very nature of NFC makes it impossible to limit how far the radio waves travel. While the NFC communication protocols are designed and tested for use up to 10 cm, because NFC works via radio waves, it is impossible to set a hard limit on the distance those waves travel. That means determined attackers with the right boosting equipment can perform attacks from a much greater distance.

In the physical access space, the obvious threat is that an attacker gains unauthorized access, such as in the aforementioned scenario. Not surprisingly, there are several instruction videos online that show thieves how to copy widely used key fobs or access cards using simple and inexpensive technology. In one of the more famous examples from 2013, two teenagers in Italy showed how they could take advantage of lax security in NFC cards for mass transit, allowing for a lifetime of free rides on the system.

Addressing the Issues

Every security solution has weaknesses – both known and unknown. In the NFC payments space, a majority of transactions use a very low level of security. The result is fraud, and it’s quite common. Technologies that address these security weaknesses are available, but are not yet widely adopted. For example, in the U.S., most consumers and retailers still rely on magnetic stripe credit cards, even though the far more secure EMV standard for chip cards have been around and used in Europe for about 20 years. The same issues can be found in the contactless world, where many of the attacks would not be possible if more modern technology were employed.

The reasons why companies don’t move to more secure and modern technology vary widely, but cost and a lack of understanding of what is possible are two of the most common.

What companies need to do is begin focusing more heavily on the systems that connect with the communications devices. In the payments space, there are many smart systems in place, such as applications that check spending patterns and require secondary confirmation when certain criteria are met.

For physical access control, the process is generally weak. For instance, in user authentication, verifying a user often relies on only one factor, such as a security badge or employee card. The problem is that simply possessing an NFC/RFID contactless device does not mean the holder of that card is authorized to access the building or computer systems. That’s because the device can be shared, much like one would be able to share a normal door key.

Addressing the problem might include adding a guard at the door who validates that only authorized people pass through (visual identification), a PIN code, a fingerprint reader or other biometric reader. In short, two-factor authentication. The "something you have plus something you know" is well documented as one of the simplest and most effective means for improving security.

Even with two-factor authentication, physical access control security solutions have room for improvements. The systems can become powerful management tools when they are connected to the Identity and Access Management (IAM) systems used by the IT or human resources department that help in authentication, issuing and managing user credentials. With systems like these, it’s easier to limit access when employees leave, or limit access for employees depending on their level within the organization. So when an IT administrator moves to a job with a new company, his access to the server room is automatically revoked and his building access card is automatically deactivated. When a mid-level manager is scheduled to be on vacation but shows up at work, the system can require him to perform a secondary act of authentication to gain access to the office building to prove he should be there during that time. If an employee has somehow bypassed swiping her badge at the entrance, the system might deny her access to certain resources in the building.

NFC and RFID offer great opportunities, but companies must be aware of their security shortcomings and then make informed decisions on the best way to proceed. Industry observers understand that many will decide the expense or inconvenience of fixing what’s broken with NFC is too expensive or that their systems, while not perfect, are "secure enough."

When compromises are made, however, they bring with them serious implications for the long-term viability of whatever system is in place.  With the previously mentioned hackable mass transit card, for example, it would make no sense to then improve the system by allowing passengers to use their pre-paid cards to purchase coffee or newspapers at the subway station. In that case, adding additional features to the card simply extends its vulnerabilities into new areas where consumers might be hacked.

The best solution is to determine weak spots in whatever systems you are using, then research and implement fixes such as two-factor authentication or EMV. In this manner, we can all continue to exploit and build upon the benefits of wireless payments and physical access control without putting our customers, employees or our companies at risk.

About the Author:

New York City-based Joakim Thoren is CEO of Versasec, an Identity and Access Management (IAM) provider that helps businesses of all sizes manage their access-enabling devices, including smart cards, mobile, tablets, virtual and RFID/NFC.