The Security Caveats of NFC Payments

The idea of paying for something without using your PIN number isn’t something new anymore. Despite that, the concept exposes you to just as many vulnerabilities (if not more) than it did before.

Previously, I have written about Android Pay’s PIN-less mobile payment system and the negative consequences people can suffer by replacing their PIN numbers with biometric authentication. Now there are devices such as NFC payment rings that further exacerbate the previous vulnerability issues of other similar solutions. It turns out that there are a couple of things you should know before you hop into the bandwagon of convenience that contact-less payments provide.


Eavesdropping on radio signals is by far one of the oldest practices in modern history. We’ve been doing it since the first world war and have relied on it heavily the second time around. Devices may have become more advanced, but the technique is still relatively untouched. You make a listening device that tunes into the same radio frequency that two other parties are using and listen in on them.

Hackers and researchers have been aware of NFC eavesdropping since at least 2013 when some folks crafted a shopping cart that could easily slip in and “listen” to transactions being made by contact-less payment. To prevent such a phenomenon from happening, readers need to encrypt their connections from end to end. Even then, the possibility of eavesdropping still exists. For consumers to be reliably safe, it’s better to avoid using NFC in crowded places.


This particular problem annoys retailers just as much as shoppers. A hacker can place a device near the reader that corrupts the data going into the reader, making it impossible to make a purchase at that particular counter. Hackers might have an incentive to do this in conjunction with eavesdropping to make sure that the customer does not empty their balance before they have a chance to use it.

The solution to this problem is the same here as it is for eavesdropping. Retailers should use secure channels for transmitting and receiving data on their NFC readers. Although this particular attack doesn’t present a particular threat to either the retailer or the customer (just a lot of frustration), it’s worth repeating the fact that it can be especially dangerous to the customer when hackers choose to combine this with eavesdropping.

Described in better detail over here, a man in the middle (MiM) attack is a sophisticated form of eavesdropping in which the hacker will intercept the conversation between the NFC device and the reader processing the payment and send false information to both. This way hackers can invalidate data (sending the reader garbage information as I’ve described above) and receive the NFC payment themselves based on what the NFC device tried to send to the reader.

Because of their sophistication, such attacks are very rare, but the vulnerabilities currently present in NFC transactions create an incentive for hackers to start investing more time in making tools that will carry out these attacks. To make matters worse, hackers can actively listen in on the connection before the encryption “handshake” is complete, making encryption rather useless at this point. But one thing retailers could do is to have an active-passive style of communication where the NFC device simply sends over its data, and the reader simply processes the information and sends back purchase confirmation.


Of course, when you’re not cut out for cleverly hacking your way into payment portals, your best option is to simply grab whatever people are using to pay for things these days. A card is a bit harder to steal since you’d normally have to steal the entire wallet which is sitting inside of a pocket most of the time (some people use their inside coat pocket for their wallets, making this more challenging).

But phones are often kept outside of pockets and easily get lost. Even if they are in a pocket, most people won’t treat their phones with such care as they do their wallets. NFC payment rings take this a little bit further since it is even easier to lose rings. Stealing them is only a matter of finding an opportune moment when someone takes off their rings to wash their hands.

My suggestion for people using phones is to make sure they have some way to remotely lock the device down if it’s lost. Other than that, you should be avoiding NFC payments entirely if it is very important for you to minimize the chances of your money being stolen in any of the nasty ways I’ve described above.

Do you use NFC payments? How do you protect your finances? Tell us in a comment!

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.