Good NFC Habits
Recently, I spoke at the hashdays security conference in Switzerland to talk about the security of Near field communication (NFC) – specifically, how people and businesses can use it securely.
While NFC is not quite yet seeing widespread usage, early adopters – like many readers of this blog – are already using it in their lives. Some mobile manufacturers are touting the addition of NFC in their mobile devices. For my talk, I discussed what aspects of NFC usage can be considered secure, and what can be considered just “convenient”; what businesses can do to keep their customers safe; and what features of NFC should designers implement or completely avoid.
For home users, though, the most important part of my talk was what they can do to keep themselves safe. It’s never too early to pick up good NFC habits. What are these habits that can keep you secure? They are:
- Lock your mobile device. In general, devices have to be turned on or unlocked before they can read any NFC tags. A simple screen lock – even without any password being used – can protect users against these threats.
- For passive tags, use an RFID/NFC-blocking device (such as a wallet). Passive tags will emit fixed information in the presence of a NFC field, which means that there is a slight privacy risk carrying around these devices – if a blocking device is not used. (Anti-static bags can also block RFID devices.) This isn’t the case for mobile devices as their NFC reader automatically turns off once devices are locked, so this precaution is not necessary.
- Use an NFC reader app on your mobile device. By default, most mobile devices will simply open a URL if one is detected on an NFC tag. If you wouldn’t lick a tag, you shouldn’t open it blindly – instead, use an app like NFC TagInfo or NFC TagInfo by NXP to read the tag first. The apps will be able to tell you what information is on the tag – allowing you to make an informed decision if you want to scan it or not.
We’ve seen no indication that NFC has been used in the wild by attackers, but it’s never too early to develop good habits when using this emerging – and promising – technology.