Security of contactless payments and how to set up NFC?

How does NFC work?

Attaching a smartphone to the machine to pay for goods is much more comfortable when compared with carrying a couple of credit cards in your pocket.

The technology of NFC (Near Field Communication or Short Distance Communication) is based on the interconnection of 2 coils of electromagnetic type, one of which is in the smartphone, and the other, respectively, in the machine. To start the relationship, both devices must be located at a distance of no more than 5 cm from each other.

How to enable NFC? How to find out if there is a module on a smartphone?

Everything is pretty easy. To understand if there is an NFC module on the user’s Android phone or tablet and activate it, the user needs to go to “Configuration” – “Wireless Communications” – “NFC”.

If a user has a bad habit everywhere and constantly forgets his own credit card, then in this situation, if his gadget is equipped with an NFC module, he is given the opportunity to make his own phone a real credit card. This is done as follows:

• First, you need a credit card that supports paypass technology;
• It is necessary to install on the smartphone the program (client) of the user bank in which the card was made;
• Open the installed program, find the option that is responsible for NFC, and select it. After that, you need to put a credit card to the back of the phone or tablet so that it is considered;
• Following a successful reading, the user will be sent a password consisting of 4 numbers by SMS, which should be saved. This PIN will need to be entered when the user makes a payment using a phone or tablet.

The developers of the module claim that its use is safe because:

1. The user must always enter the PIN code before buying something.
2. The NFC operating range of the microprocessor is only 10 cm (even less in reality).

Method 2: NFC Tags

A typical situation: a person woke up, ate breakfast, looked at the stock in the refrigerator and opened the “Buy a Baton” or “Google Keep” program to add what needs to be bought to the list. After that, he leaves the apartment and turns on the mobile network, gets into the car and activates the GPS, Bluetooth, in order to safely get to the place of work. There, he switches the smartphone to vibrate mode and opens Evernote.

What you need for this:

1. Install the NFC ReTAG program.
2. Find NFC tags or, if the user has contactless metro or public transport payment cards, or maybe long-forgotten or unused bank cards that support Pay Pass.
3. Open NFC ReTAG, scan a card or tag, add it and name it whatever the user wants.
4. After that, you need to select the action that will be performed on the smartphone when the user attaches it to the label, and press the “Action” key.
5. Create an action, for example, launch the “Buy a Baton” program.

After the user has created an action, you can attach a card or a label to the refrigerator (or put it next to it). From now on, every time the user enters the kitchen, he is given the opportunity to instantly launch the “Buy a Baton” program and save a reminder with a list of mandatory purchases.

How to do?

1. It is necessary to scan a card or a label, name it.
2. Designate an action – launch the GPS program, and also open Bluetooth wireless information transmission.

If the smartphone has Root rights, then this will also increase the possibility of using NFC tags and a person will have more “chips” to automate the processes of a phone or tablet.

This is a data transmission method (similar to Bluetooth) using the NFC microprocessor. It is important to remember that the data exchange rate using Android Beam is very low, and therefore it would be advisable to use it only for transferring a small amount of text or links.

For this you need:

• Press the “Expand” key;
• Bring both devices to each other;
• When the image on the display of the transmitting device becomes smaller, click on it to start transmission.

A smart bracelet or ring with an NFC option is an innovative project of developers from China, which is suitable for phones running on various operating systems. The bracelet can be chosen for any hand size (a similar situation with the ring). The weight of the device is very small, but the main thing is that it fully supports NFC technology.

The role of the chip, for example, in the Band 3 BFC device, is played by a specialized chipset. With the help of the latest, the smart bracelet helps the phone to transmit information via a contactless type channel, thus maintaining high security. Information on the device can be rewritten an unlimited number of times.

The bracelet stores payment information, records and other personal data. Viewing the information is not difficult – just put the bracelet on the phone display. In a matter of seconds, it will establish a connection with the smartphone and disable the display lock, and will also play the role of a hot key. For example, while bringing the bracelet to the phone, the camera, network or social network program is activated at the same moment.

Other options

NFC modules are found on labels in stores or in museums on information plates, during the scanning of which the user will be taken to a site with full data about the product or rack.

NFC Security

It makes no sense for users who use contactless cards for a long time to talk about what NFC technology is. This payment method is safer than the usual method of activating a PIN card in a machine, because no one sees the code. Even if the phone is stolen, the thief will not be able to withdraw more than a thousand rubles from the card due to global limits on limiting amounts in contactless transactions.

In some media, there are reports that hackers have created terminals that are used in crowded places, stealing funds covertly. But this is only real when the phone is unlocked.

In order to thoroughly understand everything, below are all kinds of myths, rumors and real situations related to the security of NFC technology.

Distance

Contactless cards use NFC technology, a subcategory of RFID, to transfer information. On the credit card there is a processor and an antenna that respond to the request of the settlement terminal at a radio frequency of 13.56 MHz. Different payment systems use their own standards, such as Visa Pay Wave or MasterCard Pay Pass. But they are all based on almost the same principle.

The distance of information transmission using NFC varies within a few cm. In this regard, the first step of security is physical. The reader, in fact, must be brought close to the credit card, which is quite difficult to do discreetly.

However, it is possible to create an extraordinary reader that works over a long distance. For example, scientists from the University of Surrey in Britain showed the technology of reading NFC information at a distance of about 80 cm thanks to a practical scanner.

This gadget is really capable of secretly “polling” contactless cards in minibuses, malls, airports and other public places. Fortunately, in many states, the proper credit cards are already in the purse of every second person.

Nevertheless, it is possible to go much further and do without a scanner and personal presence. Another unusual solution to the range problem was presented by hackers from Spain. R. Rodriguez and H. Villa who presented the lecture at the Hack In The Box meeting.

Most new Android phones are equipped with NFC. At the same time, gadgets are often located in close proximity to a purse – for example, in one backpack. Villa and Rodriguez developed the concept of a Trojan (virus) on Android that turns the victim’s phone into a kind of NFC signal repeater.

When an infected smartphone is next to a contactless credit card, it sends a signal to hackers via the network about the reach of the operation. Attackers launch an ordinary payment terminal and attach their own NFC phone to it. Therefore, a bridge is “built” using a network between the terminal and the NFC card, which can be located at any distance from each other.

The virus can be transmitted in the usual way, for example, when bundled with a “hacked” paid program. All you need is Android OS version 4.4 or later. Root rights are not required, however, they are recommended so that the virus can function even after the device’s screen is locked.

Cryptography

Of course, approaching the map is 50% of success. Following this, it is necessary to break a much more powerful barrier, which is based on cryptography.

Contactless transactions are protected by the same EMV standard as processor cards. Compared to the track of the magnet, which can actually be copied, such a move will not work with the processor. At the request of the terminal, the chip generates a one-time key each time. It is possible to intercept such a key, but it will no longer be suitable for a subsequent operation.

There is, by the way, one nuance. In the usual implementation, the security of processor cards is based on a combination of crypto keys and a person entering a PIN code. In the process of contactless transactions, a PIN code is most often not needed, so only the crypto keys of the card processor and terminal remain.

Purchase amount

There is another level of security – the contactless transaction limit limit. This limitation in the configuration of the terminal equipment is set by the acquirer (bank), which is guided by the advice of payment systems. In the Russian Federation, the maximum payment amount is one thousand rubles, and in America the threshold is $ 25.

A large amount of payment will be refused or the machine will begin to require auxiliary identification (signature or PIN code), it all depends on the configuration of the acquirer – card issuer. During attempts to alternately withdraw a couple of amounts less than the limit, the auxiliary security system should also be activated.

But even here there are specifics. Another group of Newcastle University scientists from Britain said almost a year earlier that they had found a loophole in the security of contactless transactions of the Visa payment system.

If you request a payment not in pounds sterling, but in another foreign currency, then the limit on the amount is not included. And if the terminal is not connected to the World Wide Web, then the maximum amount of a hacker operation can reach one million euros.

Employees of the Visa payment system denied the implementation of such a hack in practice, saying that the operation would be denied by the bank’s security systems. If you believe the words of Taratorin from Raiffeisenbank, then the terminal controls the threshold amount of the payment, regardless of the currency in which it was carried out.

Conclusion

In conclusion, it is worth noting that the technology of contactless payments is, in fact, closed by excellent multi-stage protection, but this does not mean at all that user funds are safe with it. Too many things in the cards of banking institutions are interconnected with very “old” technologies (magnet strip, network payment without auxiliary verification, etc.)

In addition, much lies in the attentiveness of the configuration of certain financial institutions and outlets. It is worth noting that the latter, in the race for quick purchases and a small percentage of “abandoned carts”, very much neglect the security of transactions.