Count On Users To Foil NFC Payment SecurityWritten by Frank Hayes
Remember those demonstrations of how the payment-card numbers can be stolen from contactless cards by a thief carrying a card reader who bumps victims’ wallets and purses in a crowd? Yes, it’s been a staple of local TV news for years, and it’s a legitimate potential security risk—a risk that was going to be eliminated by NFC mobile payments. That, it turns out, didn’t quite work out the way the proponents of NFC phones were hoping it would.
The key to making phones more secure was supposed to be that a required PIN would prevent the NFC chip from being turned on most of the time, and the chip would be powered down quickly after a transaction when the screen went dark. That’s certainly the way Google Wallet was designed for Android phones. But according to most of the reviews of Google Wallet, all that PIN-punching is a pain, and the phone’s screen quickly going dark is annoying. Guess how secure that makes the NFC chip?
As usual, the weak point of this security plan comes with trying to keep users happy. It makes good security sense to require that the phone’s owner punch in the PIN for every purchase. But it also makes user-friendly sense to let someone who’s making a lot of quick purchases lengthen the time-out, so that PIN isn’t necessary each and every time.
Naturally, Google gives users choices—which turn out to be 1, 5, 15, or 30 minutes. Yes, 30 minutes—exactly the right amount of time to leave the NFC chip unlocked while a customer is strolling around a shopping mall, which is exactly where thieves would go looking to slurp up contactless payment-card numbers.
Of course, even if the NFC chip is unlocked, it’s powered down as soon as the screen goes dark. And of course, that’s adjustable, too, and the choices are 15 or 30 seconds or 1, 2 or 10 minutes—or “never turn off.” Any NFC-reading thief who’s loitering in the vicinity of a POS watching for likely victims might easily be able to bump into every customer who paid with a phone within two minutes after the transaction was done, though that might be a challenge. With a 10-minute time-out, it’s hardly even sporting.
Unfortunately, there’s not much technology retailers can deploy to stop NFC thieves. But considering how many pickpockets depend on a similar bump-the-victim technique, the solution may be simpler than it appears. If Loss Prevention associates are watching for anyone who seems to be loitering and casually bumping into people, maybe LP can save customers from themselves—even if IT can’t.