Why cybercrime using NFC poses a huge threat to your money

You have probably seen and heard about how I bang on about digital security! How I try to raise awareness of all users and systems on the world of cyber.



One of the reasons, like many of us in the penetration testing areas, is that we think outside the box.

I see problems and issues with so many shiny and new products that are released on the unsuspecting public that I often have to play the devils advocate card.   As more and more of the public follow the bright shiny sales pitch and invest in the hype my job gets harder.

So from the matrix lets “Follow the white rabbit…”

I have been called a scare monger and if that is the case, I am doing my job properly.

So to add another one to the piles of things happening.

How about near field communication (NFC).

What is that you ask?

You know it as paywave or tap and go. Even the new Australian passports and the transport cards in Sydney and Melbourne are NFC enabled.

Such a convenient and easy way to do things.

If you have seen some of the adverts from Visa then it can be used anywhere and everywhere.   Supposedly you don’t even have to take it out of your pocket to pay for things.

Lucky for us, any losses from any of these systems is covered by the banks, except if it is a business account, then it is a little more difficult.   The banks say that it is running about 2-3% digital fraud, the security industry say it is running as high as 14%.

Once again it is a problem with the technology itself, and no amount of hype can change that!

When originally created and put out to the real world, you needed a specific reader and the card had to touch the reader to enact a transaction.   The first time I saw it, a comment from a mate was – “it won’t be long before that is hacked”

Today you can pay $200 on eBay for a device that extends that range to 1 meter. Put it in a backpack and walk down a crowded train, instant cash for the bad guy.

Having cards, passports and tickets with NFC wasn’t good enough. We now have NFC on our smart phones.

The newest reiteration of android phones and the iPhone 6S have this new ability. Google wallet and Apple Pay use NFC to work.

The hype? it is safe and secure transaction process!

The problem with that is that if your phone gets infected with a certain type of malware, (and hundreds of smart devices are) it turns it into a payment system processor for any NFC card that approaches that phone. That includes your own cards.

How do we protect ourselves?

There are drastic measures you can take –

* tell the bank, Australian government you do not want a card / passport with NFC associated with it (good luck with that) or
* you can put a small hole in your credit card that cuts off the antenna from the chip ( not as easy as it sounds, definitely something you do not want to do to your passport)

Less drastic solutions:

* Get a protective card / wallet that reduces NFC and put it with your credit cards, passport and ticket
* Get a protective sleeve, envelope and put your credit card, passport or ticket in it. Take it out when you want to use the card.
* Do not allow your credit card / passport out of your site when making transactions – the device comes to you and your card does not go to the device unattended.
* Get anti virus for your phone. You heard me!
* Turn off NFC on your phone when you do not need it.

Once again something created for good has been perverted by the bad guys. This is their modus operendi!   If it can be created, reverse engineering will deconstruct it and that process will always find flaws.   Those flaws are easily compromised when you know how the system works.

Once again I will reiterate my message – TRUST NO ONE

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.