The Many Issues With NFC

Steve Smith talks about Near Field Communication, and the numerous issues with the technology in card based and hardware based applications.

Security Vulnerabilities and Illicit Issues with NFC

Episode # 3-38 available on : Youtube Vimeo 

Released: June 15, 2013

NFC, or Near Field Communication, is all the rage today. Contact-less payment systems are popping up all over the place. It is found in credit cards, debit cards, cellphones, and other devices. The technology is designed to speed up the payment process, and transfer of information, but at what cost?

The technology is easy to use, and requires no pin number for limited amounts from debit and credit cards. While, there is a supposed protection, there is nothing stopping criminals from stealing the information and buying small stuff with it. All the thieves really need to do is rebroadcast the information at another machine that accepts NFC payments, like some newer gas pumps in gas stations. The typical limit on a credit card or debit card is $50, however it can also be used to prepay up to $100 dollars of gas in service stations.

Credit cards and debit cards aren't the only things with NFC chips on them. They are however only able to send information, like a RFID chip.

Cellphones, tablets, and other similar devices may also have NFC built in, this makes it easier for you to use an internal credit or debit card system, speeds up payment and points collection. You can also transfer data from one NFC-enabled device to another without issue. You don't really need to allow your device to receive files, as well. This is a potential problem because this also means that you can have illicit files sent to your device. Such files may actually record all your actions on your device, some may include a kind of key-logger, some may infect your phone and use your address book to send high value text messages to people in an effort to make money off your device. The actual transfer of the file happens to occur via Bluetooth, NFC is only to initiate the Bluetooth communication.

All of these cards, and devices have similar issues, the ease of access and usability. Many people will claim that you have to keep the card scanners near the credit or debit cards of a person for at least thirty seconds, and that may be true, but in large urban environments with a lot of people close together, it is easier than you think. The same thing goes for NFC-enabled devices, because while the screen is lit, it is possible to initiate a file transfer by invoking Bluetooth, which itself has a range of 30 feet. Therefore any person with illicit intent may target you, invoke the transfer just after you looked at the time on your cellphone, then pass by, invoke the file transfer, and leave a good distance away before you noticed a new application.

What can you do to protect yourself from these kinds of attacks or card cloning attempts? Plenty.

In the case of your NFC-enabled devices, you can simply turn off NFC whenever you are not using it. If NFC is not enabled, no amount of trying to send illicit files will work.

In the case of credit cards, placing aluminum foil around the credits actually prevents them from being scanned. Having numerous NFC-enabled cards together will also confuse the scanners and prevent all of them from being scanned. You may also be interested in the fact that you can purchase an aluminum for Amazon for less than ten dollars, link in sources.

Next Week, I'll be talking about web-sites that act as a VPN to access web-sites without any special software. I'll be talking about usage cases, and possible issues with such sites.

Remember to like this episode if you were interested in today's topic, share if you think someone else could benefit from the topic, and subscribe if you want to learn more. For the show notes of this episode and others, for more information on other ways to subscribe to our show, to subscribe to our weekly newsletter, and how to participate by submitting your questions, comments, suggestions, and stories, head over to

Host : Steve Smith | Music : Jonny Lee Hart | Editor : Steve Smith | Producer : Zed Axis Productions

Sources & Resources

CommentsLogin or Register to post comment

Be the first to comment on this episode.

Posted by ask
June 15, 2013



html text

View previous campaigns.

Powered by MailChimp

Latest Comments

Completely Erased

It should remove all traces of the virus, provided the hard drive has no bad sectors on it. It it does, you the mentioned Spinrite to try to fix the hard drive then run DBAN after, but usually, DBAN can erase the entire drive without issue. I've used it on maximum and let it run almost 16 hours on my friends computer, that is why this episode exists.

Completely Erased

Great! I am going to run 'autonuke' on a machine that has polymorphic malware, not sure if it is in the MBR or somewhere else on the machine. Assuming autonuke runs fully without any error, will it remove the malware from the computer with certainty?

Completely Erased

Yes, it will wipe all data, including the master boot record on your hard drive. If you are unable to get DBAN to work correctly, consider using Spinrite to fix the drive so DBAN can work, rarely needed, good to have.


Log Into TQA Weekly

Register | Lost Password?