Safe NFC For Businesses
Earlier, we talked about how ordinary users can use NFC securely. However, truly widespread adaptation of NFC is only going to happen if businesses adopt it for their own use. How can businesses safely use NFC for their own purposes?
For one of the most popular uses of NFC – mobile payments – businesses really aren’t in a position to use their own solution; what’s more likely is that businesses will adapt some sort of existing mobile payment system. Both credit card and mobile providers are trying to enter this space, but both groups will support NFC. In such a situation, what businesses can do is ensure that their solution is from a reputable vendor, and to keep themselves informed about any potential security loopholes in the solution they adopt.
However, payment systems are far from the only use of NFC in businesses. At the simple end, it can be something like letting people visit a website without typing a URL or scanning a QR code. However, as the standard develops, something like this becomes possible: a shop wants to offer free WiFi to its customers, but doesn’t necessarily want to expose it to the entire world. What they can do is put an NFC tag at the entrance that customers entering can swipe to set their phone’s WiFi settings.
NFC tags could also be used to automatically update someone’s social media – it’s easy to imagine a tag for Twitter, another for Facebook, and another for Foursquare (just to cite three popular social networks that one might be interested in using on the go). All of this can be done either now, or are quite likely to become possible in the near future.
Naturally, these tags are going to be in full view of the public. To protect these, make sure that any NFC tags you do deploy are set to be write-protected – and check them regularly anyway. The write protect of NFC tags is not always perfect; sometimes a malicious person would still be able to change them, either fully in part. (The worst case is a “soft” write protect, which is basically just a bit saying that the tag can’t be written to. This is as insecure as it sounds. Even “hard” write protect can vary in effectivity, depending on the manufacturer and how the app implements write-protect.)
Of course, an attacker might be able to just cover a legitimate tag with a malicious one. To stop this, it’s a good idea to place the tags behind a glass cover and/or a sign, so that any “overlaying” tags can be quickly spotted and removed.
One more popular use of NFC is for some sort of access control, such as hotel keycards. This is a perfectly good use of NFC tags, but keep in mind that tags can not only be cloned relatively easily, in many cases it is trivial to decrypt the contents as well. For this reason, don’t rely completely on the stored information on the tag to authenticate the user.
In particular, NFC tags have what is (in theory) a unique ID number that is not supposed to be changeable – but it is easy to get tags that have changeable unique IDs. Some vendors are already reusing their numbers because they have ran out of assigned numbers. You can even simulate a card with any number with some electronics that are available. Using this unique ID number for authentication is, therefore, a very bad idea.
One more thing to remember: while NFC offers many interesting usage scenarios, it is still an evolving standard – with vendors offering mutually incompatible proprietary features. For example, MIFARE Classic 1k cards (used by at least one mobile phone manufacturer for their NFC tags) can’t be read by many NFC-capable devices, as they are technically not part of the NFC standard. If you use these proprietary tags, then your customers may need a specific app and/or device to read them. If in doubt, go with a standard NFC tag that links to a URL, as that is almost certain to work.
In short: NFC offers interesting capabilities for businesses, although some of these can be offered with other technologies (like QR codes), if somewhat less conveniently. If done properly, both customers and businesses can benefit – with the emphasis on the word properly.