So the Tube – the London Underground is going NFC for payment transactions then … [LINK] … can you see the weakness here ?
We’ve had Oyster cards for some time now in London as a means to pay at the turnstiles to travel on the London networks – bus, Underground etc. I assume some contractual issues came in to play and the scheme was moved to a new contactless system. I noted that the tech at the turnstiles appeared to not change which indicated that the readers stayed the same but perhaps the software behind the system did change.
So we have a NFC reader and a piece of software to read those NFC chips to authenticate that the code being presented indeed is for a valid card.
I also noted a conversation with First Group commercial director in Manchester during 2013 when they were talking about trialling contactless payment systems.
This is definitely pointing to a payment on the device environment coming up for the UK. I kind of support it as it is rare I don’t go out without my device .. but often that I forget to take my travel card !
I have a Samsung i9100P specifically for its NFC chip – I see NFC in several devices and with the announcement of the iPhone 6 – I see it also features NFC. The good news is that it can allow micro-payments not only from your bank but also against your phone provider which means you can use a variety of accounts. Massive benefits to the consumer – I can see its adoption.
I also see the criminals rubbing their hands in glee. How many bus drivers will be checking that the app you pay for the journey with is the genuine one ?
In the London Underground with good connectivity, they could probably spot the fake NFC payment coming in and block you going through the turnstiles but on a vehicle such as a bus or unmanned station – I can see fake apps springing up to allow you to reset your “payment card” to get free journeys.
I found this link some time ago [LINK] and yes indeed San Francisco has had this problem with a weakness in the NFC cards allowing them to be tinkered with.
But this is now 2 years later – with a rooted Android phone I can see NFC becoming an interesting new vector for attack … I wonder if anyone is :
- looking at it (vendor, supplier and corporate)
- thinking about it at a coding level at the vendor
- working out the legals of what is involved – is it illegal ? What are the laws around this ?
An interesting subject that I think could grow especially with iPay from Apple also.
And as if by magic comes news that Subway restaurants are going NFC also (LINK). Interestingly here is that iPay won’t be accepted yet … I guess they’re waiting for trusted security to be proven.
What do you think ?