Is NFC a secure technology?

NFC technology emerged in the late 1990s, although it didn’t begin to spread until it went public with the first Nokia smartphone in 2006. Its adoption has been slow for different reasons, including lack of standardization and lack of infrastructure.
Currently, many users don’t even know if their mobile phone has NFC. But the truth is that it is a technology that offers many opportunities in operations and transactions over short distances. And, in addition, with the potential to improve the user experience.
In fact, the NFC chip market is expected to grow, mainly due to the launch of new types of wearables.
In a past post, we defined NFC. In today’s article, we focus on the risks and security of NFC, and how it can become the great ally of identity verification.
Índice
Is it secure to use NFC?
Surely you have read some hoaxes about how easy it is to steal information on cards and terminals by NFC. And although at first glance it may seem coherent because the data is transmitted with simple contact, the truth is that the NFC chip is encrypted and is limited to its purpose, be it payments, accesses, etc. without putting private data at risk (thanks to tokenization).
In this regard, the Organization of Consumers and Users (OCU) says that paying with a mobile phone is, if possible, safer than paying with a ‘contactless’ card because mobile payments require a PIN, a selfie, etc.
In fact, if a person loses their payment card, it could be used up to the limit. On the other hand, if a person loses their mobile phone and has a password, they can’t access the payments.
3 reasons why NFC is a secure technology
Next, we compile the three great guarantees that NFC offers to defend that it is a secure technology.
1 ) The user initiates the operation or transaction
In any operation or transaction in which NFC technology is used, the user, owner of the device with this technology, is responsible for initiating said operation.
To do this, the user must authenticate himself in some way, through a PIN, a selfie, a fingerprint, etc.
Furthermore, when a connection is established between two terminals with NFC, both parties validate that operation in some way. Otherwise, it doesn’t complete.
For example, in the case of identity verification, the user is immersed in the process and he has to initiate and execute the operation; or in the case of a payment, the payment can only be accepted, with the express order of the user who pays.
2) Data transmission occurs over very small distances
The transmission of information using NFC technology works over very short distances, we are talking about a maximum of 10 cm. In most cases, it would be very difficult for an outsider (or criminal) to intercept an operation or transaction, because they would have to be too close. And even if I did intercept it, it’s encrypted.
The short range acts as a security measure of the NFC. The criminal or attacker would have to be very close and in a payment context, for example, it would be very obvious.
3 ) NFC chips are configured with a single use
NFC chips only serve specific purposes. This means that, for example, NFC chips that are installed inside mobile phones can’t access other information stored on the device, beyond the transmission for which they are configured. So there is no need to worry that a chip can autonomously receive data or that another person can access private information.
However, it must be emphasized that any technology can be hacked. But in that sense, they are usually complex operations and surely the hackers who know how to corrupt NFC chips are engaged in other types of activities.
It is important to remember that proactive measures, such as having an unlock selfie or other options, make all the difference to protect devices.
And, of course, how secure it is will be up to the developers of the technology to add layers of password protection and encryption to the solution (check out the great profiles we have on our team here).
Why is NFC used in identity verification?
The success of remotely registering new clients and authentication processes depends on the technology behind it.
In the case of identity verification, easy and frictionless accessibility to the user is crucial.
The use of NFC technology in identity verification responds to three main reasons:
- The security and reliability that it brings to the process
- Ease of use for the user
- The wide availability and diffusion of NFC, present in the vast majority of mobile phones and in new identity documents
Identity verification via NFC technology makes it possible to recover all the information existing within the chip of the identity document of the user who is verifying their identity (from the ID photo and personal data to the digitized signature and fingerprint).
Identity verification with NFC is not a substitute process for online identity capture (selfie + identity document capture), but a security and reliability complement.
Some of our clients already opt for this option to offer their users maximum protection. Mainly because reading and extracting data via NFC presents two advantages over other security layers:
- Reduce the level of fraud. Obviously, fake IDs won’t pass this step, NFC chips are not replicable.
- The reading of user data is 100% reliable, since it fully recovers all the information existing within the chip with no margins of error.
Relying on identity verification via NFC makes the registration process for new customers more secure.
An authentic NFC chip is signed by the relevant issuing entities. A computer hacker does not have that private signature to be able to create or modify information on an NFC chip and pass it off as real.
How does identity verification via NFC work?
So simple! Only three steps are needed:
- The user takes a selfie
- The user captures an image of his identity document
- The user brings his identity document to the back of his mobile phone
Done!
Of course, we assume that the device and the identity document have an NFC chip.
IMPORTANT: In order to capture NFC, the device on which we are performing the verification, a mobile or a computer, has to read the MRZ code. The “password” that allows access to the NFC chip is built with it.
For this reason, we capture the image of the identity document previously.
Shall we tell you how it works in a demo?