I received flack for my recent blog on Near-Field Communication (NFC) payments being safe (see Yes, Contact Payments Are Safe). Some posters rightly pointed out that there are issues with over-the-air security patches, and several security experts were angry that I suggested everyone in their business tries to scare consumers. One described my article as “incendiary” because I wrote, “So security experts can try to scare people, but the truth is, consumers don’t appear to have much to be concerned about at this point.”
“Not all security experts are trying to scare people,” I was admonished. That person, who is in the security industry, didn’t defend the original security expert’s comments that I was criticizing in my blog, but did point out that security experts play an important role in exposing security flaws in new technologies so they can be fixed.
It’s true—there are many very ethical security experts, and security consultants and companies can play a role in helping expose potential problems before criminals exploit them. And I welcome comments from those who legitimately want to address potential security problems with RFID systems in a helpful way. But all too often, people focus on one potential problem without looking at security as a whole. It’s sort of like saying windows are a great security flaw in houses because you can break them and get inside, while ignoring alarm systems, safes and other security measures deployed in those homes (not the best analogy, I admit, but you get my point).
In that blog, I was reacting to a comment in a Reuters story claiming NFC phones “pose the greatest future threat to the security of consumers’ financial details.” I think that statement is irresponsible, and potentially damaging to the adoption of NFC technology. There are legitimate concerns about NFC transactions, as some of those who responded to my original posting pointed out, but we need to consider all of the security mechanisms involved and put the problem in its proper context.
Security is multifaceted and includes both technology and business processes. Last week, I took a trip to Cancun, Mexico, to speak at ADT‘s RetechLA 2008 event. After I checked into the Hilton Cancun, I received a call from the front desk saying my card had been declined. I went downstairs, got on the phone with my credit-card company and satisfied them that I was the legitimate card owner and was, in fact, in Mexico, and they removed the block on my card.
The reason the company had blocked my card was because its use in a foreign country had indicated a potential problem. Credit-card companies also limit NFC transactions to less than $25 to reduce their potential risk, and they will deploy systems that will indicate potential fraudulent activity, and put a block on transactions with your NFC phone, if they detect a problem.
It’s also worth noting that the level of security must be commensurate with the risk involved. By that, I mean the level of security that can be implemented depends on an item’s cost, or the transaction being protected, as well as on convenience. It would not make sense to implement security that costs $5 per transaction for a $10 transaction. Nor would it make sense to ask consumers to provide a DNA sample every time they used their credit card to prove they were who they said they were.
The level of security in NFC phones must not be so onerous that those transactions take four times longer than swiping your mag-stripe card. Thus far, fraud involving NFC transactions has not yet been a huge issue, but I think it’s fair to say that’s probably because they are not currently in widespread use. Criminals will focus on a new technology when there is an opportunity to utilize it to make significant money (they do cost-benefit analysis, too).
It’s important to address security issues in an open, balanced way, and I encourage those with expertise to continue posting on our forums and blogs. Those in the NFC Forum are invited to explain their position. I think it’s fair to say that both those who make NFC systems and security experts want to see the technology evolve in a secure manner that serves consumers and businesses alike. That can only happen if we address the issues openly and responsibly.
Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, click here or here.