News and features

Surrey study raises concerns about ‘contactless payment’ technology

Researchers from the Department of Computing have revealed the security risk posed by NFC technology.

Published on 31 October in the Institution of Engineering & Technology’s (IET) Journal of Engineering, the study raises concerns about Near Field Communication (NFC) technology, which is increasingly being incorporated into mobile phones and contactless debit/credit cards to enable easier payment. There are around 23 million contactless cards in circulation in the UK and mobile devices with NFC account for 13 per cent of worldwide web traffic.

The study demonstrates that it is possible to receive a contactless transmission from distances of 45 to 80cm using inconspicuous equipment, meaning that the transaction data could potentially be picked up by someone standing this distance away. At this point there is no suggestion that this information can be used to make a fraudulent payment, provided that issuing banks apply the rules and guidelines of the card schemes.

The study was conducted by PhD student Thomas P. Diakos, supervised by Dr Johann A. Briffa and Dr Stephan Wesemeyer of the Department of Computing, and Dr Tim W. C. Brown of the University’s Centre for Communication Systems Research. The team used portable, inexpensive and easily concealable equipment, including a pocket-sized cylindrical antenna, a backpack and a shopping trolley – none of which would raise suspicion if used in a supermarket queue or crowded place.

Using this equipment, they showed how easily eavesdropping (where an attacker ‘listens in’ on an on-going transaction between a contactless device and reader) could be carried out at various distances. Good reception was possible even from a distance of 45cm, when the minimum magnetic field strength required by the standard is in use.

The implications of the study for consumers are significant. Dr Johann A. Briffa, Lecturer in Computing, commented: “The results we found have an impact on how much we can rely on physical proximity as a 'security feature' of NFC devices.

“Designers of applications using NFC need to consider privacy because the intended short range of the channel is no defence against a determined eavesdropper.”

Eleanor Gendle, IET Managing Editor at The Journal of Engineering, said: “With banks routinely issuing contactless payment cards to customers, there is a need to raise awareness of the potential security threats. It will be interesting to see further research in this area and ascertain the implications for users of contactless technology with regards to theft, fraud and liability.”

The research was funded by the EPSRC and IT company Consult Hyperion.

The Journal of Engineering is an online, open access journal published by the Institution of Engineering and Technology.

Read the paper on the IET website.

Related news and features