HID Global Offers Security for NFC

By Claire Swedberg

The Trusted Tag Services Software Developer Tool Kit is intended to help users create their own NFC solutions with security, to ensure that tags, and the products to which they are attached, are not counterfeit.

image_pdfimage_print

HID Global is selling a new developer’s kit intended to enable businesses to create Near Field Communication (NFC) RFID solutions using HID’s Trusted Tag Services, which prevents individuals from duplicating or counterfeiting someone’s NFC tag. The company announced and displayed the new solution at this week’s RFID Journal LIVE! 2013 conference and exhibition, held in Orlando, Fla. The Trusted Tag Services Software Developer Tool Kit consists of a variety of HID Global passive 13.56 MHz NFC RFID tags, as well as an application that accesses HID’s Trusted Identity Platform (TIP), a cloud-based service that identifies whether a tag is valid prior to directing a reader (such as a mobile phone) to a Web site or other data.

The service is intended to eliminate risks related to using NFC tags for authenticating documents, such as diplomas or birth certificates; for identifying high-value assets; and for data login access that sends users to a Web site or to specific data, explains Mark Robinton, the technology innovation manager for HID Global’s strategic innovation team.

HID Global’s Mark Robinton

HID Global provides a variety of NFC RFID tags and cards that can be interrogated by NFC-enabled readers, smartphones or mobile devices. In 2012, the company introduced its secure Trusted Identity Platform (TIP) to make the use of NFC tags safer. HID Trusted Tag Services can also be employed with NFC tags from other manufacturers.

Customers of the service can develop their own application to read each of their NFC tags. The app is designed to direct a tag reader to the TIP cloud-based server, which validates whether that tag is authentic, and then transmits that validation back to the reader.

Although the counterfeiting of NFC tags has not been commonplace to date, the technology is currently not very secure, since someone could potentially create a counterfeit tag that may be used to seemingly authenticate what is, in reality, a counterfeit product to which the tag was attached. Any individual—such as a worker or a consumer—reading one of the tags would first need to download an app from the developer, which would then direct the reader to the Trusted Identity Platform. For example, a watch manufacturer may include an NFC RFID card in a wristwatch’s box to authenticate the product. If someone attempted to read a bogus NFC card, the app would forward the card’s ID number to the server, which would then reject that card.

In another example, Robinton says, an NFC tag could be placed on a smart movie poster that would direct users to a Web site for movie listings, and also invite them to purchase a ticket. If the tag were unsecured, however, a potential criminal could reconfigure the tag so that the user could be directed to what might appear to be the authentic movie theater site, but would actually be a bogus site created to collect the user’s personal payment information. In another scenario, a hacker could place a second NFC tag on top of a trusted tag at a smart poster or other location, which could then direct a user to an inauthentic Web site written to that tag.

The expected ubiquity of NFC tags is the concern, says Tam Hulusi, HID Global’s senior VP. “There’s a new paradigm coming” in which tags are attached to multiple items and in public places, he states, and in which, just like the Internet—”which was started with just the good guys,” he notes—NFC technology could become vulnerable to fraud.

“What we’re doing is leveraging the core competence of HID Global [security],” Hulusi says, “to convey trust.” In other words, consumers and other NFC users could trust a solution utilizing HID’s trusted could service.

Some companies, such as systems integrators, are already employing the trusted cloud service, in order to develop secure NFC solutions for their own customers (for example, brands). Hulusi, however, says he cannot name those companies at present.