Near-Field Com­mu­ni­ca­tion (NFC)

Your bank may have recently sent you an NFC-com­pat­i­ble debit card and your smart­phone probably supports NFC functions. But are you unsure what exactly is NFC? No problem. We give you an overview of the RFID-based near-field standard.

NFC is taking over more and more aspects of daily life, enabling con­tact­less payments, and sim­pli­fy­ing con­nec­tiv­i­ty with Bluetooth devices and Wi-Fi networks. Further ap­pli­ca­tions can be found in smart home solutions and the Internet of Things. These benefits of NFC tech­nol­o­gy are ac­com­pa­nied by security concerns and data privacy issues. Read on to learn more about the risks of the wireless standard and the general security re­quire­ments ap­plic­a­ble to NFC ap­pli­ca­tions.

NFC – or near-field com­mu­ni­ca­tion – is a trans­mis­sion standard based on radio frequency iden­ti­fi­ca­tion (RFID) which enables con­tact­less data trans­mis­sion across a distance of a few cen­time­ters.

A key ap­pli­ca­tion of the NFC function is con­tact­less payments at Point-of-Sale terminals (PoS) in retail or gas­tron­o­my. Besides bankcards, modern smart­phones are also generally equipped with the NFC tech­nol­o­gy as standard. When combined with other trans­mis­sion standards like Bluetooth or Wi-Fi, a wide range of pos­si­bil­i­ties are opened up in which the near-field tech­nol­o­gy can make processes requiring data exchange between two devices faster, more flexible, or more con­ve­nient.

NFC is based on RFID tech­nol­o­gy. RFID systems comprise at least one initiator (typically an RFID reading/writing device) and any number of target devices (known as transpon­ders), which receive, process, and answer messages received from the initiator. Data trans­mis­sion occurs by means of elec­tro­mag­net­ic induction between two loop antennas. The gap between the RFID reading device and the transpon­der is called the air interface. The aim of RFID tech­nol­o­gy is to identify, au­then­ti­cate, and track objects or people. For instance, in logistics RFID transpon­ders are attached to products or transport pallets to track the flow of goods.

As an in­ter­na­tion­al standard, NFC specifies an RFID con­nec­tion process for the elec­tro­mag­net­ic near field. In ac­cor­dance with ISO/IEC 180000-3, the standard frequency for NFC systems is 13.56 MHz – one of the ISM high-frequency bands available worldwide without a license.

The short range of the wireless standard is typical for NFC. NFC data trans­mis­sion is only possible when the sender and receiving antennas are located in direct proximity with each other. In practice, the op­er­a­tional distance between two NFC devices is below 10 cen­time­ters. For example, NFC-com­pat­i­ble payment cards have to be held directly against the card reader. Only then can trans­ac­tions be made. The limited range is intended to prevent un­in­tend­ed con­nec­tions and plays an important role in the security of the wireless standard.

In principal, two modes of com­mu­ni­ca­tion are con­ceiv­able with NFC wireless trans­mis­sion: passive and active mode. While passive mode only permits one-way com­mu­ni­ca­tion in which an NFC device retrieves data from another, active mode allows mutual com­mu­ni­ca­tion.

• Passive mode: In the passive mode, active NFC readers are used to read passive transpon­ders. The antenna of the active device thereby generates a high-frequency, al­ter­nat­ing elec­tro­mag­net­ic field. If a passive transpon­der enters the range of the high-frequency field, it is supplied with energy for a short time. Passive transpon­ders them­selves do not generate a feedback signal, instead the data is trans­mit­ted by mod­u­lat­ing the inquiry signal. This mode is used for con­tact­less payments, for example. These transpon­ders can now be found in most debit and credit cards.
   
• Active mode: If both the initiator of the wireless trans­mis­sion as well as the target device are able to transmit NFC signals, trans­mis­sion in the active mode is possible. Active NFC devices have their own energy source. During com­mu­ni­ca­tion, the devices involved generate their own high-frequency, al­ter­nat­ing fields to transmit data, and de­ac­ti­vate them when waiting for a response.

Data trans­mis­sion via NFC is rel­a­tive­ly limited at 106, 212 or 424 kbit/s. For data-intensive ap­pli­ca­tions, NFC tech­nol­o­gy is therefore usually combined with wireless standards like Bluetooth – in order to make the pairing of Bluetooth devices easier, for example. Wi-Fi con­nec­tions can also be es­tab­lished faster and more easily using NFC tech­nol­o­gy. When NFC con­nec­tion data is stored on an NFC transpon­der, users only need to read the data using an NFC phone to connect to the network. This makes entering the Wi-Fi key manually un­nec­es­sary.

NFC functions are con­sid­ered standard features on smart­phones today. Google in par­tic­u­lar is advancing the trans­mis­sion standard. All smart­phones that run on Android OS version 4.0 or higher are NFC-com­pat­i­ble. Apple has declared NFC support since the iPhone 6, but only uses it for its own services. The near-field interface is not currently available to third-party ap­pli­ca­tions on Apple devices.

NFC phones, tablets or other smart devices, such as watches or gaming con­trollers, generally support three modes of operation:

• NFC card emulation mode
• NFC reader/writer mode
• NFC peer-to-peer mode

An NFC device in card emulation mode behaves like a passive transpon­der – such as the NFC chip in a debit or credit card. The card emulation mode is used in com­bi­na­tion with mobile payment apps. Cor­re­spond­ing ap­pli­ca­tions support all common payment cards, including some customer cards, bonus cards, and discount vouchers. The user selects the desired card via the display and holds the NFC device against an NFC-com­pat­i­ble PoS terminal – just like they would with their con­tact­less debit or credit card.

In reader/writer mode, the NFC phone or tablet acts like a reading or writing device for NFC chips. Passive transpon­ders can be in­te­grat­ed into stickers on product packaging, for instance. A user who holds their NFC device in reader/writer mode near such a trans­porter can read and – where permitted – enter data for it.

The peer-to-peer mode fa­cil­i­tates data exchange between two or more terminal devices. This NFC function is used, for example, with Android Beam. The NFC peer-to-peer tech­nol­o­gy could also be used in gaming or for pro­duc­tiv­i­ty apps that enable teams to work together on projects.

Tap on the slider again to de­ac­ti­vate the function.

NFC tech­nol­o­gy can be used for a wide range of iden­ti­fi­ca­tion and au­then­ti­ca­tion processes due to its quick and easy con­nec­tiv­i­ty. Practical ap­pli­ca­tions are available to users for the following areas in par­tic­u­lar:

NFC tech­nol­o­gy enables con­tact­less card payments at PoS terminals, without having to insert the debit or credit card into the reader. Au­then­ti­ca­tion is based on bank data saved on an NFC chip which is in­te­grat­ed in the bankcard. A number of banks in the USA are rolling out debit cards that support con­tact­less payments. The credit card companies Visa and Mas­ter­card offer the NFC function under the brand names Paypass and Visa payWave. In the USA, con­tact­less payments can be made for any amount, although the card holder may have to sign for large purchases. In the UK, con­tact­less card payments below £30 do not require a PIN or signature. It can be higher for the time being in the USA where con­tact­less payment systems are still gaining pop­u­lar­i­ty. This means con­tact­less payment trans­ac­tions can be much faster than con­ven­tion­al card payments. You can see whether your debit or credit card is NFC-com­pat­i­ble via the con­tact­less logo – stylized radio waves.

In the case of mobile payments, the smart­phone is replacing the bankcard. Mobile payment apps like Google Pay and Apply Pay enable users to save bank data to their smart­phone and create a virtual version of their chosen bankcard. Instead of using a plastic card, the NFC phone is held in the range of the card reader, allowing it to read the data required for au­then­ti­ca­tion. Trans­ac­tions are then typically confirmed with a PIN number or by the user providing their fin­ger­print via smart­phone.

Entry tickets could soon be a thing of the past when visiting movie theaters, concerts, and museums. The same may also apply to tickets for public transport. Rather than using paper cards, e-tickets can be saved on the smart­phone, allowing them to be quickly and con­ve­nient­ly read via con­tact­less NFC tech­nol­o­gy. In this context, near-field com­mu­ni­ca­tion is competing against visual iden­ti­fi­ca­tion methods like barcodes and QR codes.

Key cards with RFID chips are now part of everyday life. In hotels, they open doors to suites – or lockers and changing cubicles at swimming pools and sports centers. Companies are using RFID systems to control access to secured areas or work­sta­tions. To gain access here, RFID transpon­ders in the form of chip cards or key fobs are held against a terminal or sensor attached to locking mech­a­nisms. NFC phones may render separate transpon­ders obsolete in the future. The smart­phone is set to become the universal key for elec­tron­ic locking systems.

NFC is also used as a sup­ple­men­tary tech­nol­o­gy for security systems – such as when accessing desktop ap­pli­ca­tions and web apps. Here, an NFC token or smart­phone serves as an extra security component as part of two-factor au­then­ti­ca­tion. For instance, users can enter their password and then also hold an NFC-com­pat­i­ble device to a cor­re­spond­ing sensor.

A passive RFID transpon­der is nothing more than a microchip including a capacitor and antenna. The smallest elements are just a few mil­lime­ters in size. In logistics and retail, these kinds of chips are in­te­grat­ed in labels – or tags – and placed on goods and product packaging, allowing the supply chain to be retraced. The ad­ver­tis­ing industry is also putting NFC tags to use. When built into NFC displays (also known as smart posters), NFC tags open up in­ter­ac­tive options. Viewers can read the chip in the poster using their smart­phone, for example, and receive in­for­ma­tion that triggers a response in the cor­re­spond­ing smart­phone app.

Samsung offers self-adhesive stickers with a built-in NFC chip – called TecTiles – onto which users can enter commands for user-defined purposes. When the user’s smart­phone enters proximity of the NFC tag, the pre­pro­grammed commands are trans­mit­ted and performed. A wide range of ap­pli­ca­tions are possible with TecTiles: Suitably po­si­tioned, NFC tags can cause a smart­phone to au­to­mat­i­cal­ly connect with a car’s Bluetooth radio or switch the ring tone to silent when at the workplace, for example.

The security of the NFC function is not just discussed in relation to con­tact­less payments. In principle, any NFC device can be used to read a transpon­der. The same applies to data on an NFC phone, provided the function is activated. All that without the user having to actively initiate or approve the data trans­mis­sion. But this has got the attention of data privacy advocates.

The dis­cus­sion revolves around the following security risks and data pro­tec­tion concerns:

• The loss of NFC bankcards, mobile devices or other chipped media
• The unau­tho­rized reading of data stored on the NFC chip by third parties
• The ma­nip­u­la­tion of data trans­mis­sion during con­tact­less payment trans­ac­tions
• The creation of behavior, usage and movement profiles based on in­for­ma­tion read con­tact­less from NFC devices

Data privacy advocates argue that NFC chips should not be able to provide any recurring iden­ti­fiers – such as account numbers – that can be read con­tact­less and used to create profiles. Work on in­ter­na­tion­al standards for en­crypt­ing near-field com­mu­ni­ca­tion still needs to be pursued further by the American industry.

Consumers have to be specif­i­cal­ly informed of the risks of mobile payment apps. Moreover, providers of these ap­pli­ca­tions need to provide in­for­ma­tion on min­i­miz­ing risks. Providers have to keep updating payment apps that enable con­tact­less payments with smart­phones, in order to resolve ongoing security issues.

In practice, the security of NFC systems not only depends on the provider of these ap­pli­ca­tions, but also on how the consumer treats the near-field tech­nol­o­gy. Take the following steps to keep security risks to a minimum.

Con­tact­less payments with NFC debit and credit cards

• Store your NFC bankcard in a pro­tec­tive sleeve that blocks radio waves; this prevents your chip from being read without au­tho­riza­tion. Only take your card out of the sleeve when you wish to pay with it.
• Check your account state­ments regularly and report any sus­pi­cious trans­ac­tions to your credit in­sti­tu­tion straight away.

Mobile payments via app

• Activate the NFC function on your mobile device only when you want to use the relevant app. De­ac­ti­vate NFC after suc­cess­ful­ly com­plet­ing the payment trans­ac­tion.
• Always keep your smart­phone’s software as well as mobile payment apps updated.
• Use all the security features offered by the provider – such as au­then­ti­ca­tion via PIN or fin­ger­print.
• Protect your mobile device from unau­tho­rized access with a pass code.

Take immediate action if you realize your bankcard or mobile device with mobile payment apps is lost. Use the emergency number of your credit in­sti­tu­tion to have any lost debit or credit cards blocked.