How Secure Are NFC Payments?

Published by Adrian in Web Security

are nfc payments secure

NFC is becoming a very tempting trend in the world of commerce. And without a doubt, this so-called Near Field Communication can be a real blessing. Because contactless payments, via credit cards or mobile devices, make shopping a lot easier for all the parties involved. So much so that both merchants and consumers are interested in using it.

If you think of it, the NFC technology lets you simply wave the card or the smartphone across a special NFC reader to authorize a payment. Who wouldn’t love this opportunity of ditching the swipe-and-sign traditional credit card payments? Having to physically dip your card into the card reader or swipe it is just a waste of time, as long as you can have it otherwise.

And so, these days, more and more credit and debit cards support NFC payments. The same goes for many iOS or Android devices. Basically, depending on what kind of phone you have, you can choose between the three main NFC payment services on the market: Apple Pay, Android Pay, and Samsung Pay. Retailers and even restaurants are bringing in their own in-store NFC readers.

Did you have the chance to familiarize yourself with it?

Just like the name suggests, NFC is one of the few types of radio communication standards. Similar to Wi-Fi, Bluetooth, or other technologies that facilitate network communication, it is, however, different through some particularities. For starters, it works at very slow speeds and within a range of only a few centimeters.

While it’s becoming more mainstream, you’d have to wonder…

What if the data you’re sending wirelessly to make the payment ends in the wrong place?

What if a hacker steals your payment information?

How secure is this NFC payment technology, after all?

Addressing the main concerns regarding the NFC security

Knowing what NFC implies raises some concerns. Because you’re sending data through a wireless connection, you can and you should be reluctant about how well-protected that data is.

In other words, it all starts from the fact that you’re basically accepting payments through a wireless signal.

We all know that hackers love taking advantage of unsecured wireless connections. So, it makes sense to expect some of them to try to bypass the protection of a particular wireless connection.

They can try and use malicious code to intercept that communication. Or they can try to tamper a consumer’s smartphone or even a merchant’s NFC device.

Luckily, while possible, the entire above is quite difficult to put into practice.

It isn’t just hard to hack into a well-protected wireless connection. But it is also hard to try and hack and NFC communication channel because of the security features that come with it.

What’s more, users can always add extra protection on their devices, to secure their mobile wallet and make sure it stays like that even if someone physically grabs their smartphone.

Coming up next, we’re going to address all these and help you worry less and enjoy more this payment security technology.

How secure are NFC payments?

Like any other revolutionary payment option, NFC was conceived to prevent the most common security threats. In other words, the same concerns and worries you now have, were addressed by the developers of this technology from the very beginning.

And so, NFC payment security is currently built with a specific set of security features that should help you stay safe: proximity protection, user initiation, and secure element validation are the essentials.

Let us walk you through the details of each one, so you can better understand what they mean.

secure nfc payment

Proximity detection is the first level of defense

It defines the distance at which an NFC reader can interact with a buyer’s card or mobile phone. And it makes sure that it doesn’t allow communication when that distance is exceeded. Since that distance involves inches, a potential thief would have to be extremely close to the NFC-enabled device in order to steal the transaction data. That, of course, wouldn’t be possible without the user noticing its presence, which is very discouraging for any thief out there.

Aside from distance, NFC signals are also particularly sensitive to the direction of the card or mobile phone you’re using for the payment. Sometimes, turning it just slightly can cause a reading error. This only means that for a hacker to eavesdrop on the signal, it would also have to get the precisely right angle, not just the precise short distance.

User initiation comes into play when the distance is ruled out

It makes sure that even in the event that proximity details are checked, a contactless payment still won’t be possible without you actively initiating it. The initiation involves launching the dedicated NFC application on your phone, for the connection with the NFC reader to become active.

Some dedicated applications go the extra mile and require a private passcode or even a fingerprint scan to verify and validate a transaction. That way, even if someone manages to launch your NFC app without your knowledge, an extra validation request steps in.

Secure element validation makes it even harder to hack

This security measure spares the entire process from transferring all kinds of card numbers between the devices involved in the payment. Instead, it sends a unique digital signature for each specific payment. This secure element chip is the final protection layer. Once the card or the mobile device used that secure element chip to validate the purchase, the transaction is allowed and the payment is transferred.

Tokenisation, the cherry on top of the NFC payments’ security

Tokenisation grants privacy and security with NFC payments by ditching the traditional account numbers. Instead, it relies on virtual account numbers with the transactions it facilitates. While implemented with all of the three main NFC payment systems for iOS, Android, and Samsung devices, there are certain differences.

The virtual account number for NFC payments can only be used by your phone.

With Apple Pay, for instance, the encrypted DAN associated to your phone is stored right on the device.

With Android Pay, the encrypted DAN goes into the cloud, with the help of the so-called Host Card Emulation technology.

Whereas with Samsung Pay, the DAN stays on your phone, with the difference (compared to Apple Pay) that it benefits from a special security protocol.

But what is this DAN, after all?

In a nutshell, tokenization and the encrypted DAN work something like this:

  • You install a mobile wallet that supports NFC payments;
  • You type your credit card number into that mobile wallet app;
  • The app will then encrypt your credit card number and sent it to the servers of the company that supports the NFC payment on your mobile (Apple, Samsung, or whatever);
  • The account number is decrypted on the company’s servers;
    • The same servers will add the payment network of your credit card to the information associated with your account number;
    • They will encrypt the information again and they will do so by using a key that only your credit card network can unlock;
    • And they will then send this encrypted information to your credit card company;
  • Your credit card company will take the encrypted information, decrypt it, and authorize you to use that specific card with the service that sent the information (Apple Pay, Samsung Pay, whatever);
    • Next, the same credit card company will generate the above-mentioned DAN, which is a Device Account Number, another identificatory number for your account, different from the credit card number;
    • At this stage, your bank account has two different identification numbers, but it’s only going to use the DAN with your NFC payments;
    • What’s more, the DAN generated by your credit card company is sent back to the servers of the company that initiated this process;
  • On the company’s servers, the DAN will end up encrypted (as sent from the credit card company), with the major attribute that the servers don’t have its decryption key;
  • From there, depending on what service you work with, they will transfer the DAN to the device or to a cloud server, and enhance it with their proprietary security options.

In other words, if you’re working with Apple Pay, for instance, tokenization means that Apple doesn’t have the account number required for your NFC payments. Your Apple device is the only device that can decrypt that account number and use it to initiate and validate a payment via the NFC technology.

safe nfc payment

So, are NFC payments completely secure?

Judging by all the security measures that come into play, NFC is considered one of the most secure payment technologies currently available across the globe. Of course, the “one of the most secure” label doesn’t make it completely foolproof.

By now, we hope you know that pretty much anything digital can be hacked, one way or another, sooner or later. And we also hope you haven’t discovered it first-hand. Anyways, if you’re determined to use the NFC technology yourself, it’s best that you always stay aware of the risks, no matter how small they are. So, don’t just rely exclusively on the NFC built-in protection mechanisms.

Instead, make sure you do not unknowingly make it easier for hackers to access your device remotely and take advantage of your availability to use contactless payments.

Consumers should always have a strong password in place, to protect their mobile phones. In case it gets into the wrong hands, at least you’re not allowing the person who gets it to use it and make payments.

Whereas merchants should always strive to follow the latest industry standards and to make their credit card processing infrastructure PCI-compliant.

To draw a conclusion…

Being able to pay contactless is awesome. No need to swipe anything, no need to recall any PIN number, no need to put your signature on anything. You certainly don’t need to take out your wallet either, and search for cash or small coins. You tap and you’re ready to mind your business.

At the same time, nothing is completely safe.

Your security depends on several different things, other than the built-in NFC security we outlined above. To give an example, the settings that a financial institution or a retailer relies on can make a huge difference when hackers are trying to get your financial data. And retailers are well-known for their tendency to encourage customers to buy by making the process easier. Even if that means finalizing an order faster and sacrificing payment security in the process.

What we’re trying to say is that even contactless payments require extra vigilance from your side:

  • Don’t flash your card in crowded places
  • Always pay attention to what apps you’re downloading on the mobile you use to make contactless payments with
  • Set up SMS notifications from your bank
  • And, why not, consider purchasing a screening wallet

Do all that and never ignore the opportunity to learn something new regarding your online security!