After spending a few days around Security Week (BlackHat, Defcon, BSidesLV) last week, I was constantly amazed at the excitement and innovation around security. Unfortunately, most of this focused on the attack side, but nevertheless, it will drive security thinking forward (which is what we want!).
But as with most technological innovations, implementation is often more important than design (see WEP/RC4). Researchers last week showed how implementing an NFC interface to a smartphone can potentially be disastrous for its owner. In this case, the software behind the hardware was the problem, and software manufacturers must be vigilant in their quest for releasing stable, secure products.
Another researcher at DEFCON demonstrated quite the opposite where he used a smartphone’s NFC technology to capture payment information from a contactless payment instrument, store it, and then replay it to complete a transaction. This is not a new attack as we’ve seen the replay of RFID before, but it’s a much stealthier attack as everything is contained within the phone. Imagine walking by someone and pushing “attack” on your phone’s software moments before the swing of your arm matches up with the swing of the leg where he pockets his wallet. Quickly and stealthily interrogating the payment instruments and using them to buy things later.
If nothing else, this demonstrates that you should be personally vigilant on watching every charge posted to your accounts, setting up lots of alerts to monitor strange behavior, and disable anything you are not actively using. If you are concerned about people stealing your payment information, you can put your cards into paper-thin shields that will prevent someone from interacting with it, or simply request a card that does not have the contactless technology embedded in it.