The idea of paying for something without using your PIN code is no longer something new. Despite this, the concept exposes you to as many (if not more) vulnerabilities as before.SummaryPeople can eavesdrop on transactionsData can be invalidatedMan-in-the-middle attackNever underestimate pickpockets
Previously, I wrote about Android Pay's PINless mobile payment system and the negative consequences people can suffer from replacing their PIN with biometric authentication. There are now devices such as NFC Payment Rings that further exacerbate previous vulnerability issues of other similar solutions. Turns out there are a few things you need to know before jumping on the convenience bandwagon that contactless payments provide.
This particular problem annoys retailers and buyers alike. A hacker can place a device near the reader that corrupts the data entering the reader, making it impossible to purchase at that particular counter. Hackers may be tricked into doing this in conjunction with eavesdropping to ensure that the customer does not empty their balance before they have had a chance to use it.
The solution to this problem is the same here as for eavesdropping. Retailers must use secure channels to transmit and receive data on their NFC readers. While this particular attack poses no particular threat to the retailer or customer (just a lot of frustration), it's worth repeating that it can be particularly dangerous to the customer when hackers choose to combine this with eavesdropping.
Described in more detail here, a man-in-the-middle (MiM) attack is a sophisticated form of eavesdropping in which the hacker intercepts the conversation between the NFC device and the reader processing the payment and sends false information to both. This way hackers can invalidate the data (by sending unwanted information to the reader as I described above) and receive the NFC payment themselves based on what the NFC device tried to send to the reader.
Due to their sophistication, such attacks are very rare, but the vulnerabilities currently present in NFC transactions encourage hackers to invest more time in creating tools that will carry out these attacks. To make matters worse, hackers can actively eavesdrop on the connection before the encryption "handshake" is complete, rendering encryption pretty useless at this point. But one thing retailers could do is have an active-passive communication style where the NFC device simply sends its data, and the reader simply processes the information and sends back the purchase confirmation.
Of course, when you're not cut out for smartly hacking your way through payment portals, your best option is to just grab whatever people are using to pay for things these days. A card is a little harder to steal because you would normally steal the whole wallet which is in one pocket most of the time (some people use their inside coat pocket for their wallet which makes this harder).
But phones are often kept outside pockets and easily lost. Even if it's in a pocket, most people won't treat their phone as carefully as their wallet. NFC payment rings take it a step further because it's even easier to lose rings. Stealing them is just a matter of finding a convenient time when someone takes their rings off to wash their hands.
My suggestion for people using phones is to make sure they have a way to remotely lock the device if it is lost. Other than that, you should avoid NFC payments altogether if it's very important to you to minimize the risk of your money being stolen in any of the nasty ways I've described above.
Do you use NFC payments? How do you protect your finances? Tell us in the comments!