Fraud vulnerabilities in NFC cards

Nearly five years ago, Peratech, a specialist in touch technology, warned of the possible fraud problems of data, money and identity theft from the use of RFID for NFC in contactless access control, passports and credit cards. Known as skimming, thieves can use easily available electronics or a smart phone to read the data on such devices without the owner even knowing that it is happening as it can be done from a distance of several feet. The problem has recently been highlighted in a report on contactless card flaws by the Newcastle University's Center for Cybercrime and Computer Security.

These contactless devices work by being waved over a reader and data is exchanged between the reader and the device. The problem comes from the fact that the devices are always on and ready to interact even when in a wallet or deep in a bag. Peratech has developed a simple, inexpensive solution that overcomes this by incorporating an ultrathin switch into the credit card or passport so that it is always off unless the owner is actually pressing the switch to activate the device for the fraction of a second needed. This ensures that the owner has full control of when the data is accessed and by whom.

“We could see that NFC had this fundamental flaw,” explained David Lussey, CTO, Peratech. “Unfortunately our timing was too early as most people had never heard of it but we felt it was appropriate to warn early so that the solution could be built in before such contactless devices became widespread.” As a growing number card companies deploy contactless credit cards without protection, allowing card details to be skimmed and used fraudulently, Peratech forecasted the problem will become widespread.