Near Field Communication (NFC) has been around for a pretty long time, but has not gotten much market traction. But that is going to change. NFC is now at a tipping point because large mobile phone makers, credit card issuers, and financial processing companies have finally figured out how to make mobile payments secure by using strong cryptographic methodologies, namely, tokenization. The breakthrough comes from token issuing authorities being inserted right into the existing credit card processing system, allowing cryptography to be implemented without majorly redesigning the payments system. This will power a growth explosion in the mobile payments market, and is a perfect example of how security can truly make a market. It is not hard to envision that same market-making dynamic fueling growth of the emerging Internet of Things (IoT).
Ironically, despite its perfectly literal name, “Near Field Communication”, NFC suffers from an identity crisis. As the name clearly articulates, NFC is a communication technology using short range electromagnetic fields (i.e. radio waves). So, you would think that the name would speak for itself, but as often happens; a specific technology becomes conflated with the ways it is used. This has happened with NFC.
The uses of NFC can be described as sharing, pairing, and transactions. Transactions are by far the long pole in the NFC tent, and that is why many people currently think NFC actually is a payments system. The truth is that NFC is just a small part of the payment system, specifically the wireless pipeline that connects a mobile device or equipped smart card to the rest of the payment system without the need for a physical electrical contact. That allows transactions by simply bumping a payment terminal. Payments systems like Apple Pay, Google Wallet, Visa Pay Wave, MasterCard Pay Pass, American Express Express Pay, Softcard (Isis), and others can use NFC and apply their own security mechanisms. It is important to bear in mind that NFC has many more uses than payments, but payments are what will make NFC part of everyone’s life, every day; and its growth will be staggering.
The worldwide ubiquity of smartphones is intersecting with the convenience of NFC and the security of tokenization. This combination will drive the growth of NFC-equipped smartphones to 1.2 billion by 2018, according to respected research firm IHS, presenting a 34% compound annual growth rate. With Android smartphones making up the bulk of the smartphone market, they also represent the lion’s share of NFC smartphone deployments with 254 million units being shipped in 2013, which makes Android 93% of all NFC- equipped cellphones. By 2018, Android-NFC phones could reach 844 million units; with share falling to 75 percent due to other companies joining in, mainly the 800 pound gorilla, Apple. The take away is that NFC is clearly becoming a default technology in handsets.
NFC Security
Even current card payment systems have security built into the way they handle transactions. That is why we all have to wait for an authorization from the card processing company after swiping our card at a retail store. But as anyone who has gotten a call from the fraud department of their credit card company knows, that system is not very secure at all, which is largely because we handover our cards to retail clerks and waiters with our card number, expiration date, and security codes in plain sight. Also, our card numbers and personal data sits inside insecure systems at dozens of retail companies (just ask Target and Home Depot about how secure their systems have been). But, the most perplexing concept is that mag-stripe card technology is from the era of eight-track tapes and shag carpeting. Mag-stripe is such a poor technology that in 2013 the US, which mainly uses mag-stripe, accounted for 47 percent of global fraud, while processing just 24 percent of the payments by volume.
Clearly, the time is long past due for a worldwide, truly secure personal financial transaction security and tokenization appears to be what will provide that.
Obstacles to NFC’s Adoption
The main obstacle to NFC’s adoption has been an array of big-money institutions jealously angling for a position to get their unfair share of the enormous payments processing pie. The players range from mega-banks (i.e. the “too big to fail” crowd), to behemoth credit card companies (who charge big fat fees that in the old days were considered usury), powerful card processing companies, major mobile phone makers, software ecosystem developers, numerous international governmental agencies, and several others. The machinations among these groups would impress Niccolo Machiavelli, Charles Darwin, and the Borgia family (but that is a topic for yet another article). With so many power-players bearing down from different directions, the mobile payments landscape has become Balkanized, retarding the spread of NFC technology. That is finally poised to change due to tokenization and mobile phones.
Tokenization
Tokenization is a very fundamental cryptographic function, which is based upon a simple but major tenet of cryptography; namely, to keep secrets secret. Your credit card number is a perfect example of something you want to keep secret. So, what if you could hide that and replace it with something completely useless to unintended parties? That concept is very powerful, especially when using a mobile phone as a credit card, because mobile phones were created precisely to broadcast information into the atmosphere. Phones contain multiple communications channels, each of which can be attacked, such as NFC, Wi-Fi, Cellular, USB, GPS, and Bluetooth. It is easy to see the problem, right? How do you protect sensitive, secret information such as digital IDs, passwords, credit card account information, and financial secrets when using the most communicative devices ever invented? Tokenization is how, and it will be a big deal.
As noted, the whole idea behind tokenization is to keep the secret information secret by hiding it in a secure location and using a substitute identifier. The best way to hide information on a mobile device is inside an integrated circuit with built-in hardware protection mechanisms. In an NFC-equipped cell phone that hardware is called the “secure element” (which is a descriptive name, for sure). With tokenization the user’s information is disguised using cryptography into a form that looks like the original data and can be used to complete a secure transaction, but only with specified parties inside the system who can securely tie that information back to the credit card number. To use the verbiage of a top executive at VISA, “Tokenization takes the actual card account number out of the flow.”
For each individual transaction, the tokenization process substitutes the account number with a unique numeric representation that has the property that it cannot be used to reconstruct the secret account number. The mathematics that makes this possible is largely based upon hashing and signing functions using cryptographic algorithms such as SHA, AES, ECC, RSA, or others.
Each transaction is randomized using a different random number. Note that the secret stored in the mobile device will probably not even be the actual card number. It’s most likely that the secret stored in the phone will be a unique “device account number” assigned by a token service provider. The actual card number will be held securely by the token service provider. (The device account number is likely what the tokenization specification calls the “payment token”.) Because each transaction uses a randomized value, there is no correlation between one transaction value and the next. They are as different as different can be—by definition. So, the secret cannot be derived by an attacker analyzing subsequent transactions.
Randomness, Secrets, and Math
The three important cryptographic methodologies that will be used in mobile payments going forward are 1) Randomization, 2) Secrets stored in secure hardware, and 3) Irreversible one-way cryptographic mathematical functions. These three are what will create true security in the digital universe, just like guards, guns, and dogs did in the days before computers. Using these methodologies and tokenization to take the card number out of the flow means NFC-based mobile payments will be more secure than swiping a credit card. To paraphrase a major credit card company’s executive, tokenization will be the single biggest change in payment networks in the last 15 to 20 years, and will likely be the tipping point that makes NFC finally go mainstream. It is hard not to agree.
The Rest of the NFC Story
Aside from payments, NFC can be used for a wide variety of applications, some of which are noted below:
-
Paying parking meter
-
Getting tickets or boarding passes
-
Opening doors
-
Car keys
-
Download information (e.g. kiosks, smart posters, etc.)
-
Adjust automotive in-cabin settings
-
Track material (e.g. luggage, industrial
materials)
-
Pair Bluetooth appliances
-
Program consumer products
-
Share files
-
Turn off phone batteries (e.g. with a tap
on the nightstand)
-
Public transport tickets
-
Electronic business cards
-
Personal hot spots
-
Implants (e.g. pet tracking)
Electronic Pick Pocket
The tokenized systems described above are designed around payments. Such techniques are not necessarily going to be applied to other use models of NFC. As with any wireless communications standard, there is room for interception, corruption, spoofing, and impersonation, among other bad behaviors. NFC is no different. When NFC first came out, people often believed that the very short distances of NFC communication established a meaningful level of security. That is just silly: short distances do not create real security. To dispel that myth forever, University of Surrey (UK) researchers created an inexpensive and small receiver able to eavesdrop on cards at distances of 20 to 90 centimeters. They even had good reception at up to 45 centimeters, which matters because payment systems are not even supposed to transfer data in excess of 10 cm from a reader. Clearly, you can’t trust distance. You can only trust real security methodologies.
NFC has in fact proven to be an easy way to sneak into a system, and is being viewed as another attack surface. Recently, at a convention of hacking enthusiasts, NFC was exploited to crack into two major Android based mobile phone vendors’ platforms. That pretty much sums up how important it is to apply real world security methodologies to all NFC applications, so that NFC does not become a bump-and-load electronic pick pocket.
To provide the full set of security, all three of the foundational pillars of security should be present. These can be remembered as “CIA” meaning confidentiality, integrity, and authentication. (Also, as we saw with mobile payments, storing secrets in protected hardware is the other critical aspect.)
-
Confidentiality is ensuring that no one can read the message except the intended receiver. This is typically accomplished with encryption and decryption, which hides the message from all parties but the sender and receiver.
-
Integrity is also called data integrity and is assuring that the received message was not altered. This is done using cryptographic functions. For symmetric applications this is typically done by hashing the data with a secret key and sending the result of that hash (which is called a Message Authentication Code or “MAC”) along with the data to the other side, which does the same functions to create the MAC and then compare both MACs to see if they match. Sign-verify is the asymmetric mechanism used to ensure integrity.
-
Authenticity is verification that the sender of a message is who they say they are (i.e. are real). In symmetric authentication mechanisms this is usually done with a challenge (often a random number) that is sent to the other side to be hashed with a secret key to create a MAC-response which then gets sent back to the side that initiated the challenge. The challenge side then runs the same calculations internally to create a MAC using the same inputs and then compare the MACs from both sides to see if they match.
Because the NFC specification leaves security up to the designer, what can designers do to impart strong security? One obvious thing is to start with protected secret key storage. Devices such as Atmel’s CryptoAuthenticationTM integrated circuits have been created specifically for this purpose. In addition to securing the secret keys in protected hardware, such devices provide crypto engines in small, cost effective, and easy to use packages.
What the payments system evolution has taught us is that security is mandatory, secure secret storage is critical to that, and cryptographic processes must be employed. Because robust security devices are now available, tiny, and cost effective, NFC can indeed be the technology of the present well into the future for all use models.