(Originally published in Information Week, an article by Shailesh Kumar Davey)
The convenience of an NFC enabled phone comes with some security risks as criminals are likely to abuse the tap-and-pay NFC technology used in mobile payment programs.
Imagine a world where you leave your house without keys, walk into your office without an ID card and book movie tickets without cash or cards! Yes, such a world is possible with the Near Field Communication (NFC) technology.
NFC enables wireless data transfer between two devices that are very close to each other. NFC is a subset of RFID technology and is based on principles of electro-magnetic field that interact with each other (proximity is the key thing here). It is noteworthy that wireless technologies like WiFi and Bluetooth are based on principles of direct radio transmission hence support wireless transfer over larger distances. These should not be confused with NFC technology which requires proximity.
Where is NFC useful? Any activity that calls for proximity of a card/tag and its reader can be made simpler with NFC. Examples include credit card payments, access card authorization & attendance tracking, smart tag reader etc. For example, in a credit card payment the credit card is swiped or inserted into a <reader>. By NFC enabling the credit card and with the <reader> one can transfer information between them by just tapping the card on the reader, is called “tap and pay”.
The mobile phone industry has taken note of this and they are NFC enabling phones. An NFC enabled phone can securely transfer and receive data from another NFC capable device, when placed in close proximity. So now the mobile phone can serve as a credit card, access card transferring the required details to a NFC enabled reader in short a digital Wallet.
This convenience of an NFC enabled phone comes with some security risks. In the consumer world, an NFC enabled phone has lot more data like debit/credit card and will be used as a digital wallet.
According to a recent study by McAfee, in 2013 criminals are likely to abuse the tap-and-pay NFC technology used in mobile payment programs, or digital wallets. Losing the phone would mean losing your access card, credit/debit cards and other information. A simple practice of password protecting and installing apps that geo-locate your phone will go a long way in mitigating such risks.
Other way of data leak in the NFC world is via ‘eavesdrop’, wherein intruders tap in to NFC signals using advanced electronic circuits. To prevent eavesdropping, NFC standards are also being improved with authentication and encryption of sensitive data during transfer.
In an enterprise environment, NFC technology increases the security risks because of its extreme ease of use. Internal data can be leaked easily just by placing phones close to each other. A virus infected device can steal information from every other device that it comes in contact with. Security risks of consumer world are applicable to enterprises too.
Hence, NFC is certainly adding up to security concerns of a CIO and has to be considered when implementing the BYOD (bring-your-own-device) model. At the recent Mobile World Congress (MWC) in Barcelona, most of the action was about faster phones, glitzier features and sharper displays. However, MWC also saw two of the key services that will require air-tight security – BYOD and mobile payments via NFC.
These security risks can be mitigated in the enterprise by a combination of tools, policies and training. These polices should be able to give the IT teams access to devices while minimizing liability, prioritizing data security and at the same time recognizing the needs and rights of employees.
The two most important acronyms relevant here are:
• IAM – Identify and Access Management
• MDM – Mobile Device Management
IAM as the name suggests help in access control and ensures that right people have access to right set of data. This in itself will prevent the chances of data leak to a large extent. An IAM solution like ‘Active Directory’ from Microsoft is a good starting point for this.
MDM solutions help you to define, implement and verify security and data leak prevention policies on mobile phones and tablets. In the context of NFC, MDM solutions can alert the IT admin via e-mail on detection of NFC in phones/tablets. Admins can also disable/enable the NFC feature in a phone. With help from such solutions and employees following caution in accessing and handling data wirelessly, enterprises can take benefit from NFC.
But interestingly Android based phones are taking a lead in NFC vis-a-vis Apple phones. So one never knows! Let’s get ready to tap both our feet and phones securely.