The revolution is here! No, not the TV series; the smartphone revolution. In fact, the smartphone revolution has been going on since 1992, when IBM in collaboration with Bellsouth introduced Simon, the personal communicator. This was the first device to combine a cell phone with data access and email, mobile applications, touch screen display with virtual keyboard, and fax capabilities.
Over the past 20 years smartphones have become indispensable in our business and personal lives. They have replaced computers, maps, PDAs, calendars, cameras and video equipment, to name a few. Now, they are poised to replace our wallets, or at least their contents, specifically – cash, credit and debit cards, loyalty cards, coupons, and much more with a technology called “Near Field Communication” (NFC). Industry specialists predict NFC will be as pervasive as Bluetooth is today.
This whitepaper provides an overview of NFC, in particular as it relates to smartphones, standards, usage/applications, security issues, obstacles to market and consumer expectations.
NFC is a set of standards for short-range radio communications for smartphones and similar devices that is established when the devices touch one another or are brought into close proximity to one another (about 4 cm or 1.57 in). NFC operates at 13.56 MHz with data exchange rates between 106 kbit/sec and 424 kbit/sec. NFC has a maximum operating range of 10 cm or 3.94 inches.1
Actually NFC technology is not new. It incorporates a variety of existing Radio Frequency Identification (RFID) technology standards such as ISO/IEC 14443 and FeliCa (a.k.a. Japanese Industry Standard). NFC builds on these existing standards by allowing two-way communications compared to traditional RFID devices, which allow only one-way communication such as proximity security access cards or RFID inventory tags. In addition, the NFC Forum defined a common data format called NFC Data Exchange Format (NDEF) to store and transport various type of data (i.e. credit card information). The NFC Forum (www.NFC-Forum.org) is an industry association established in 2004 by Nokia, Phillips and Sony to promote NFC, establish standards and certify device compliance. Today there are over 150 members.
NFC always involves an “active” initiator (a.k.a. a reader) which generates an RF field via magnetic induction that can power a “passive” target (a.k.a. tag). This is why security proximity cards, which are a passive device, require no batteries. This is referred to as “Passive Communication.” There is another mode of communication referred to as “Active Communication” whereby the devices alternate generating their own magnetic fields. One device turns off their field while awaiting a response from the other.2 This is how smartphones with NFC capability communicate.
In the case of an NFC-equipped smartphone, the phone could act either as a passive device/card (i.e. credit card) or as an active device/reader (i.e. accessing information from a smart poster) in another depending on function.
NFC has some exciting and promising applications designed to make life easier and more convenient by making it simpler to process financial transactions/payments, exchange digital content (photos, business cards, etc.) or connect to other electronic devices. NFC enables quicker e-commerce transactions and makes it easy to share and learn about data from other NFC-equipped devices. Examples of applications include: 3 4
• Commerce with Contact-less/mobile payment – Some Android phones already incorporate this technology. Google Wallet allows consumers to store credit and store loyalty card information in a virtual wallet which can be used on an NFC-enabled point of sale device to make payments simply by waving the phone near the reader. Many European and Far Eastern countries have tested NFC ticketing in their public transportation systems. Mobile payment works best for “micro-payments” (under $25) that do not require a signature and making high transaction volume retailers better suited for the technology.
• Social networking/Peer-to-Peer – Enables exchange of digital information such as schedules, business cards and photos simply by bringing NFC-enabled devices close together.
• Transferring Data - Sending photos/data from one NFC-enabled device to a TV or printer.
• Bluetooth & WiFi Connections – NFC simplifies the pairing of devices using Bluetooth or WiFi. NFC initiates the pairing process by sending the relevant device data to the reader and eliminating manual steps that a user must go through.
• Advertisement – NFC-enabled smartphones are able to access product information directly from a poster or advertisement which has an embedded NFC chip by getting close to the poster or touching it. This could include product data, URL, location coding, telephone number, etc. Tapping the phone on website URL noted on the poster could launch the website.
Mobile payment has been popular in the Far East and European communities for many years. 5 6 7 China, UK, Japan, Russia, Korea and many other countries are using mobile payment in their public transportation systems.8 In the U.S., NFC-enabled handsets are just beginning to find their way to market. To accelerate this process, the four largest carriers in the U.S. (Verizon Wireless, AT&T, and T-Mobile) have formed a group called ISIS. Their objective is to create a virtual wallet standard for NFC equipped mobile devices. Their efforts are starting to pay off as Motorola recently released three NFC equipped phones – Droid Razr M; Droid Razr HD; and Droid Razr Maxx HD. Samsung has the Galaxy S II and III and the Galaxy Nexus. Unfortunately, the much anticipated release of the iPhone 5 did not include NFC capability (what would Steve Jobs have done?).
The delay in deployment of NFC-equipped devices in the U.S. is due to a number of reasons:
• It is a complex ecosystem with too many stakeholders such as financial institutions, equipment manufacturers, mobile network operators – each with its own objectives and priorities. Everyone wants a system but is unwilling to compromise to create a unified system. This makes it difficult for business owners to decide which NFC solution to support. Businesses want a single solution that will support their business and operational needs and work across all platforms.9 10
• Business model is currently focused mainly on mobile payment.
• For a retailers with thousands of existing Point of Sale (POS) terminals, the cost of upgrading to NFC could cost $150-$170 per terminal,11 making the transition potentially cost prohibitive.
• Users’ reluctance to have NFC payments automatically tied to their existing credit cards or bank accounts. This is a much bigger hurdle to clear than the technology.12
While NFC is a short-range communication technology, limited operational distance is not a safeguard against attacks. Independent organizations have successfully demonstrated, in controlled settings, vulnerabilities associated with NFC-enabled devices and have recommended countermeasures:
• Eavesdropping – RF signals are picked up with antennas. This can be combated with encryption.13
• Data modification – Altering or combining message data. This can be combated with the use of digital signatures and certificate authentication. NFC Forum NDEF specifies the use of strong cryptographic algorithms. A digital signature provides integrity and authenticity. Some signatures also provide confidentiality for all or part of a message. Digital signatures provide users with a level of comfort that the data they receive is coming from a legitimate site since it has been signed by a trusted third party.14 15
• Relay attacks – Researchers have shown that relay attacks are a viable means of attacking an NFC enabled device to collect sensitive user data such as credit card information during a commercial transaction. The actual method of attack is quite complex and beyond the scope of this paper but more information is available at the noted endnote.16
• Loss of Device - Similar to a credit card, a lost NFC-enabled smartphone is a vulnerability. Users should have password security on their smartphones with a moderate to strong password to prevent unauthorized access if the phone is lost.
• Data Security - Ensuring security for NFC data will require the cooperation of all stakeholders.
o Device manufacturers will need to safeguard NFC-enabled phones with strong cryptographic protocols and security software. With most NFC-enabled phones running on the Android operating system (OS), this will be a tall order as the Android OS was the most attacked mobile OS in 2011. Researchers, including security specialist McAfee, reported a 472% increase in Android malware attacks during 3rd quarter 2011.17 18 The system’s openness and popularity make it a ripe target for cybercriminals.
o Consumers will need to protect their personal devices and data with strong passwords, keypad locks and antivirus software.
o Application providers, vendors and financial institutions will need to use antivirus and other security solutions to protect against spyware and malware.
The smartphone revolution is here to stay. Furthermore, it is only going to pick up speed as the number of NFC-enabled smartphones increases. In 2011, only about 5% of the mobile phones were NFC-enabled. By 2016, 46% of these phones should be NFC-enabled. The revenue growth for NFC related applications is expected to grow from $7,686 million in 2011 to $34,515 million by 2016.19
While mobile payment is the most attractive application, it has been the slowest to be adopted in the U.S. due to the complex ecosystem. Experts believe that by 2020, mobile payment could eliminate the need for consumers to carry cash or credit cards.20 As we shift from the Baby Boomer generation to Generations X and Y, there will be greater adoption and acceptance of NFC-enabled mobile wallet system due to increasing confidence, trust and ubiquity of such systems. Until then, we will continue to see growth in less security sensitive NFC applications such as data sharing and device connections.
To learn more about how OneBeacon Technology Insurance can help you manage technology risks, please contact Dan Bauman, Vice President of Risk Control for OneBeacon Technology Insurance at email@example.com or 262.966.2739.
1 “Relay Attack on Contactless Transactions by Using NFC Mobile Phones” Accessed October 2012, https://eprint.iacr.org/2011/618.pdf
2 Foresman, Chris. “Near Field Communications: A Technology Primer” (Feb 2011), Accessed October 2012 , http://arstechnica.com/gadgets/2011/02/near-field-communications-a-technology-primer/
3 Ibid 2
5 Ibid 2
6 Ibid 4
9 Ibid 7
10 Ranger, Steve. “Barclaycard’s Pay Tag upgrades your phone for contactless payments”, (April 2012), Accessed October 2012, http://www.techrepublic.com/blog/european-technology/barclaycards-paytag-upgrades-your-phone-for-contactless-payments/
11 Bradley, Tony. “What you need to know about NFC Smartphone Payment”, PC World, (Feb 2011), Accessed October 2012, http://www.pcworld.com/businesscenter/article/218475/what_you_need_to_know_about_nfc_smartphone_payments.html
12 Ibid 7
13 Ibid 2
14 Rosati, Tony. “Elliptic Curve Certificates and Signatures for NFC Signature Records”, Accessed October 2012, http://members.nfc-forum.org/resources/white_papers/Using_ECQV_ECPVS_on_NFC_Tags.pdf
15 Saeed, Muhammed & Walter, Colin. “An Attack on Signed NFC Records and Some Necessary Revisions of NFC Specifications”, International Journal for Information Security Research, (June 2012), Accessed October 2012, https://repository.royalholloway.ac.uk/file/12d8509d-8a57-f959-6af3-ba71b9cd4333/7/Attack_on_NFC_records_and_countermeasures_formated.pdf
16 Ibid 1
17 Storm, Darlene. “Androd dubbed a cyber menace as mobile malware explodes”, (November 2011), Accessed October 2012, http://blogs.computerworld.com/19309/android_dubbed_a_cyber_menace_as_mobile_malware_explodes
18 Rao, Leena. “McAfee: Nearly all new mobile malware in W3 targeted at Android phones” (November 2011), Accessed October 2012, https://techcrunch.com/2011/11/20/mcafee-nearly-all-new-mobile-malware-in-q3-targeted-at-android-phones-up-37-percent/
19 By: marketsandmarkets.com, “NFC Market: Global Forecast & Analysis” Report Code: SE 1731 , (October 2012), Accessed October 2012 http://www.marketsandmarkets.com/Market-Reports/near-field-communication-nfc-market-520.html