Is Identity Theft Possible Through NFC?
The news segment above addresses electronic pickpocketing. AskIdentive received this link seeking clarification - Is this level of identity theft possible through NFC?
The short answer is “NO.”
Contactless credit cards come with the benefit of less time spent per transaction at the POS terminal. This ease of use has had the side effect of raising some valid security concerns. An understanding of how NFC works and how the contactless cards work will help alleviate these concerns.
The video attempts to demonstrate the drawbacks of RFID through credit cards that have an RF chip embedded in them. RFID has many long-range applications whereas the NFC specification restricts itself to a theoretical limit of 20 cm. In practice the operating distance is much less which means that the two NFC ends will have to physically touch each other for a transaction to take place. NFC can be seen as a subset of RFID with a security envelope which when combined with the short-range (near field) application prevents data tampering.
Going back to the video, this should be seen more as a set piece that while identifying the security concerns, exaggerates the drawbacks of contactless credit cards to the point of misleading the consumer. It could also be propaganda for companies that manufacture protective sleeves for RFID cards and badges.
In addition, the contactless credit cards are primarily smart cards that have limited amount of data and don¹t include personal details. It is indeed possible to read data from these cards but the limitation on the data makes the eavesdropper incapable of using the stolen data for a valid transaction. Same thing goes for the reader used in the transaction. The data sniffed by the reader cannot be recreated and is not necessarily sufficient to clone the credit card information.
The credit card providers implement different steps to prevent identity theft through data skimming. These include:
1. different security code for each transaction;
2. a unique code different from the credit card number is used in transaction;
3. minimal data transmitted;
4. minimal range for transmission.
When combined with these features, NFC brings added protection. Identive’s solutions are specification compliant making them ready for the demands of the transaction market. From a security and ease of use point of view, it just works™.
Both comments and trackbacks are closed.
4 Comments
And….contactless through NFC phones is not passive as is this NFC card scenario. You can’t pass a contactless reader by a phone and have it activate the phone. The phone must be activated.
That is a very valid observation, Tony. Having a self powered active host like an NFC enabled mobile phone further prevents snooping devices from unauthorized access. Thanks for the input.
I was able to read the nfc chip in my chase card, then program a blank NFC label with that data. Would this label not work at a register?
Thanks Jake.
Card cloning of contactless credit cards is a threat similar to radio eavesdropping. Card cloning leads to fraudulent transactions including recreating a past transaction. It needs to be checked how the particular Chase card functions but one of the secure ways to prevent cloning of cards is to employ session keys. The chip in the credit card stores a secure element, a key that cannot be sniffed or read from outside the card. So, when you use your contactless card for payment, this key is used to create a dynamic transaction ID like CVC3(Mastercard) or dCVV (Visa). One cannot copy the private key thus preventing a full clone of the card. The transaction ID is required for a successful financial transaction and a ‘cloned’ card will hence not work at the register. Hope this helps.