To tap or not to tap: are NFC payments more secure?


Magnetic stripe cards were all the rage about twenty years ago, but their security was weakand the requirement for signatures often added to the hassle of transactions – not to mention they lacked data encryption, making them vulnerable to creaming and cloning by criminals.

Smart cards have emerged as their successor, providing enhanced security through data encryption. These cards required insertion into payment terminals (POS) and authentication with a PIN, marking a move towards more secure transaction methods. From a security perspective, smart cards were a clear step forward because they required authentication and provided enhanced security on the card through encryption. However, these cards were always susceptible to cloning or information theftalthough carrying out such crimes was more difficult than with magnetic stripe cards.

The NFC standard

Near field communication, or NFC, derived from radio frequency identification (RFID), emerged as a new payment standard in the second half of the 2010s. Thanks to this technology, the original smart cards became even more useful, because instead of having to insert them into payment terminals and ATMs, you simply tap an NFC-enabled payment device to transfer money.

What can be a means of payment? In addition to contactless cards, phones can now also perform this function through services such as Apple Pay Or Google Paywhich, after uploading your card details to the service, allows you to use your phone to make payments.

Iphone and a map held close to each other in one hand

Cards and phones can be used as payment methods using NFC technology.
(Source: Shutterstock)

The process by which NFC payment works works quite similarly to Bluetooth or other wireless communication systems, using radio waves to activate and verify transmitted information. This data is then decoded by an antenna. Concretely, in the case of a payment, the terminal receives information from the phone, which it then processes and approves to facilitate the transaction.

Due to NFC’s very short range, it is not useful for large data transfers. Unlike Wi-Fi or Bluetooth, it is slower and requires the immediate proximity of the two communicating devices. This is somewhat similar to infrared file transfers of the past, which worked the same way but were much less convenient and only worked half the time: you had to be very precise in how you placed your phones, and the sensors had to almost touching each other (here’s a old manual presenting the function).

How secure is NFC?

Given that its primary application is to facilitate contactless transactions, one would assume that it must be completely secure, right?
It kind of is. Compared to other wireless communication methods, it is much more difficult to intercept due to the proximity required for its operation, but that does not mean it is unnoticeable to some. forms of cyberattacks.

One of the most common attack methods in wireless communication is man-in-the-middle attacks (MITM). For them to work, there must be a tool (equipment, fake website, emails) intercepting the communication between two devices/users, which then decrypts and relays the required data to the attacker. This is one of the reasons why we use public wifi is so dangerous; It doesn’t take much to create a fake hotspot with the same name as a business or city, and because people want to use them, a criminal can easily compromise communications from devices using these hotspots.

Do MITM attacks apply to NFC? Kind of. Although it technically exists as a threat, it is simply not viable, for several reasons. First, to “hover” NFC communication, a reader must get close enough to the card/phone in order to read the required data. Second, the hacker must also have a special tool to do this. Honestly, it would be much easier to just steal your phone/card.

Potentially, payment terminals can be compromised. However, unlike traditional card skimming, NFC communication is encrypted and tokenized, meaning that a card can hardly be duplicated thanks to hiding its information.
However, do not assume that an opportunist would not still try to “cross” you for your card details, and since wireless car key attacks also exist (which use similar RFID technology to work as NFC), credit cards and phones are still at risk.

Safety should not be taken for granted

While it is true that NFC technology is more secure, especially when it comes to making payments, this does not mean that it is foolproof, as malicious actors can easily exploit certain vulnerabilities to obtain what they want.

For example, in 2021, a researcher demonstrated an attack in which he used an Android app to simply “Shake” NFC-enabled ATMs to compromise them. This was possible due to some software bugs in these machines, which may very well be a reality for other forms of payment terminals as well.

System flaws and security breaches will always exist, which is why even cyber insurance providers often emphasize patching vulnerabilities as a necessary condition for coverage.

Additionally, because NFC payments are inherently built around convenience, they lack additional authentication (like a PIN) that, for example, a traditional smart card would require. So if someone steals your credit card, they can easily make fraudulent payments without needing to enter a code (up to a certain value), and depending on the payment limits you set, the amounts can be quite high.

Payments by telephone: are they more secure?

As mentioned earlier, NFC capabilities are also present on phones. But are they more secure? Since Apple Pay, Google Pay and others require additional security in the form of a PIN, fingerprint, face scan or anything else available on your phone, there are indeed additional security. Additionally, both payment services only work when enabled, so there’s less chance of someone quietly initiating a payment from you. Additionally, using Apple or Google Pay does not transmit your account details and, if you lose your device, it is quite simple to remotely deactivate these services.

Iphone with Apple Pay open while trying to pay on an NFC payment terminal
Services like Apple Pay require additional biometric verification to make payments.
(Credit: Christian Koepke on Unsplash)

Likewise, while smartwatches are great in many ways, enabling payments through them can be problematic, mainly due to the lack of additional authentication beyond a short PIN required to unlock the watch. The assumption is that the watch on the owner’s wrist serves as a form of authentication. However, because watches can be stolen and are often protected by only a four-digit PIN, this transaction method is not always secure enough.

How to secure your contactless payments

To end this article on a more positive note, there are ways to make your contactless payments more secure. Here’s how:

  • Try RFID Blockers – These are small cards or wallets which create a barrier between your map and the outside world, mitigating potential skimming attacks.
  • Set low payment limits – This can be done through your bank or its software, where you can set a maximum limit on the amount you can purchase via contactless payments.
  • Use phone payments – While these apps may have their flaws, they are still a bit more secure than contactless cards, thanks to additional authentication requirements.
  • Use cash – This probably doesn’t need an explanation. However, you might worry about having large sums of money in your wallet, which can also be stolen.
  • Avoid smart watches – Due to lower security, enabling payments on smartwatches could pose potential issues.
  • Get a travel card – If you’re worried about the express payments aspect, get a reloadable travel card, if possible, instead of using your own credit card/phone as a means of paying for your tickets.

And these are just a few methods you can use to enjoy more secure payments. Of course, no security solution can give you a 100% guarantee, but even small, simple measures can go a long way in reducing the risk of misfortune.

Before you leave: Mobile payment apps: how to stay safe when paying with your phone

Leave a comment