Home > Security >

How secure are NFC payments?

More and more credit cards and phone apps use near field communication technology to let you make quick payments for purchases. The trend has prompted a lot of questions about security. Here's a look behind the hype.

Cards and devices using near field communication -- or NFC -- are proliferating. Odds are, you’re carrying one around right now.

Using short-range radio communication, NFC is what makes Google Wallet work, as well as a growing number of other mobile payment apps and contactless cards. NFC -- or contactless -- payments are expected to top $110 billion worldwide by 2017, according to Juniper Research.

But with more people using NFC, new questions about security are arising. Corey Benninger, chief of staff for the security firm Intrepidous Group, made headlines in 2012 when he used an NFC-enabled phone to reset transit cards and get free rides.

If NFC is that easy to hack, why would you trust it with your card information? Benninger says NFC payment systems are built with layers of protection and showed us why stealing account information during a transaction isn't so simple.

He showed us a device that works like a skimmer, capturing the information from the wireless transactions going on between the phone and the payment terminal. "However, I wouldn't be able to replay that because once this card data is used once it's no longer good," says Bennnger.

With NFC payments, the dynamic CVV– or card verification value – changes every time you use it. Information security expert and consultant William Murray says it's much safer than our current system.

"Your phone will essentially sign that transaction," explains Murray. "That signature is unique to the amount, to the merchant and to your phone. It can only be used one time."

Plus, NFC phones include a "secure element." "You can call the secure element the primary security layer," explains Intrepidus senior consultant Max Sobell. "It’s what holds all your credentials, it’s what the banks talk to, and then you have layers built on top of that."

Phones and apps have to be turned on and unlocked in order to exchange information -- a protection that cards don’t have, which could leave them vulnerable.

But Murray says we're risking more by continuing to use our current magnetic stripe credit cards. "Anything we do is better than mag-stripe and PIN," he says. "Mag-stripe and PIN is killing us and if we can live with that, we can live with what little tiny residual risk there is in all the rest of these things."

He advises the best protection is to keep a close eye on your accounts.

Dana Kochnower for CreditCards.com


  • We reserve the right to delete any comments that we feel are disruptive.