Mastercard reports that NFC payments have increased by 40% in Q1 2020, and the obvious reason for this sudden rise in contactless payments is people’s fear of getting infected with the novel Coronavirus. Consumers prefer NFC payments because they enable them to get it done and get out of the store quickly, touching no money bills, coins, cards, POS buttons, or anything else. Before the Coronavirus outbreak, the adoption of mobile payments was climbing at a year-by-year rate of about 10%, so seeing this remarkable growth of 40% in just a quarter is definitely something unexpected.
Mastercard believes that people will continue to prefer “card not present” payment methods even after the pandemic is over, as they will have experienced the convenience and multiple benefits that come with NFC. Near-Field Communication (NFC) is a protocol that enables data exchange when your smartphone touches another device, and it also helps you connect with a payment terminal. It has been around since Android 4.4. and iOS 11. NFC is slow in terms of data transfer rates (424 kbit/s), and its maximum range is quite limited as well (20 cm), but it can still work well for commercial purposes.
The issue with NFC consists of the numerous safety gaps that underpin it. First, it doesn’t support cryptography with RFID. Secondly, there’s no handshake confirmation, so there’s no tag authentication system in place. Anything that comes close to your smartphone may beam or receive data from your NFC unit. Of course, most smartphones and apps require the user to authenticate in order to activate the NFC unit, usually by touching the fingerprint sensor or inserting the PIN. However, this is not always enough, and not absolutely insurmountable either.
In February, we covered a story about German users of PayPal getting money deducted from their accounts after purchasing something via NFC. At Pwn2Own 2019, hackers proved that it was possible to exploit a use-after-free flaw in the NFC component on Samsung Galaxy S10, which would lead to the escaping of the sandbox. F-Secure researchers triggered a cross-site scripting bug by targeting the NFC on Xiaomi Mi9. In June 2019, researchers from Waseda University in Tokyo exploited the NFC module in Android devices to generate “ghost” taps that could essentially do anything the actor would like to do on the target device.
So, should we ditch the NFC? Well, no. Our advice would be to enable it only when you need it, and disable it after you’re done with the payment process. We know this beats the purpose of convenience, but this should be an acceptable trade-off for security.