Maybe you've noticed a feature on your phone called NFC and wondered what it is. Or maybe you're using NFC for contactless payments from your Android or other devices, and you're concerned about how secure it is.

NFC is a common feature on phones, but many people aren't aware of the security risks associated with using it. Here we'll explain more about NFC and how NFC hacking works.

What Is NFC (and Why Is It on My Phone)?

NFC stands for Near-Field Communication. It is a way for devices to communicate with each other when they are physically nearby. The most common place you'll find NFC is on your smartphone.

NFC typically works over a distance of a few centimeters. So to use it, you need to bring the two devices communicating very close together. Today, it's also used for phone-based payments systems; an example would be when you pay for your coffee using your phone's NFC tag.

What's the Difference Between NFC and RFID?

Smartphone displaying credit card doing a transaction using NFC

A similar technology to NFC that you might have heard of is RFID. You'll find RFID chips in contactless cards; a typical example are pre-paid cards you use on public transport. You might have also seen items like wallets or card holders advertised as "RFID blocking."

So what is RFID, and what does it have to do with NFC?

RFID stands for Radio Frequency IDentification. It is a system of a small radio transponder and a receiver and transmitter. You'll also see these referred to as tags, readers, and antennas. The technology is used in everything from clothing tags in retail shops to building and office access cards used by employers. It can further be used for "chipping" pets or monitoring cars going in and out of parking garages.

RFID is not necessarily a secure technology, as it does not use encryption. Tools like RFID skimmers allow hackers to read RFID data from nearby objects like cards, and hackers then use this technology to steal information from RFID items.

That's why NFC exists; NFCs are a sub-type of RFID, which are somewhat more secure. NFCs use encryption to keep data safe. Applications used for payment from your phone, such as Apple Pay, use NFC.

Interestingly enough, companies like ArmourCard have created products like their ArmourCELL which use NFC technology to protect your data. This is done by turning an NFC chip into a signal jammer.

NFC Isn't Perfectly Secure

Tap to iPhone
Image Credit: Apple

So does that mean you don't have to worry about your NFC devices being hacked?

Unfortunately, even though NFC is more secure than other types of RFID, it is still not without flaws, since they were designed to be a convenient connection and did not have security as a priority. NFC requires you to bump, tap, or swipe an NFC-capable device like your phone against an NFC-capable reader, i.e. another phone. The connection is valid as long as both devices are NFC-capable and within the range.

As far as the NFC protocol is concerned, the close distance is all necessary for a valid transfer.

Can you see the flaws? No password or credential requirements! NFC connections are established automatically and do not require any login or password entry in the way Wi-Fi does. This has the potential for some real problems since anyone can establish an NFC connection with your device as long as they get close enough.

NFC can be made secure at the application layer by implementing secure channels or by requiring credentials. Still, NFC as a protocol is not secure and has several flaws. And despite the close-proximity requirements for an NFC connection trigger, unwanted bumps occur mean someone can hack NFC cards. Sometimes, even a well-intentioned bump (such as when paying with Google Wallet) can result in an NFC hack.

What Are the Basics of an NFC Hack?

What is an NFC hack, anyway? Why is this particular form of wireless connection so vulnerable?

It has to do with how NFC is implemented on particular devices and the system flaws. Because NFC is a connection based on convenience, and because there aren’t many security checks, a bump could end up uploading a virus, malware, or some other malicious file to the bumped device. And if the NFC implementation is insecure, the device could automatically open that file.

Imagine if your computer automatically opened any file downloaded off the Internet. All it would take is one accidental click on a bad link for your computer to auto-install malware. The concept is similar to NFC.

With these malicious apps running in the background, your phone could secretly forward bank PINs and credit card numbers to an unauthorized person somewhere across the world. A virus might open up other vulnerabilities, allowing the malicious user full privileges to your device to read your email, texts, photos, and third-party app data.

The crux of the issue is that NFC transfers can be executed without the user even knowing a transfer is in progress. If someone could figure out a way to hide NFC tags in inconspicuous places where phones are likely to bump up, they could upload malicious data onto NFC-enabled devices without people even realizing it. Hacker group, Wall of Sheep, proved this with NFC-tagged posters and buttons.

An NFC tag usually works over a few centimeters, yet research has proven that even at a distance of 30 to 40 meters, you can suffer an NFC hack—in this instance, called eavesdropping.

Can an ATM Hack Be Carried Out Using an NFC?

Three young women using an ATM

NFC hacks have become so sophisticated, you can now hack an ATM with an Android device. Some hackers can carry out an ATM hack through NFC if they wave a phone through certain contactless ATMs to make them disperse money.

The technique is called a "jackpotting hack." Jackpotting is usually done by accessing the insides of an ATM to install malware. Hackers can do this by inserting a USB or by making a hole in the machine to access the interiors; now, this NFC hack can be done merely by holding a phone in close proximity.

It is important to note that, for an NFC ATM hack to happen, it must be done on specific ATMs with certain programming and security flaws. Nevertheless, this type of hack is fundamentally the same as that used to hack NFC cards.

How to Protect Yourself Against NFC Hacks

hooded man behind green computer code

The most effective way to secure against NFC vulnerabilities is not to use NFC. However, if you want to use functions like contactless payments, then there are steps you can take to make it more secure.

Compartmentalize your sensitive accounts. If you use your NFC device for, say, quickly making payments through Google Wallet, then one way to stay safe is to have a separate account just for NFC. That way, if your phone is ever compromised and your Google Wallet information is stolen, it will be the dummy account rather than your main account.

Turn off NFC when you aren’t using it. This prevents accidental bumps from delivering unwanted programs and malware to your device. You may not think your phone gets within the bump-range of many devices throughout the day. But you’d be surprised, especially if you often find yourself in crowds.

Routinely check your device for malware and keep all updates up to date, especially after you’ve used NFC. It may or may not be possible to entirely prevent NFC hacks. But if you catch them before they do much damage, that will be better than not catching them at all. If you find anything suspicious, change your important passwords and security credentials immediately.

Be Aware of Security Risks From Using NFC

NFC is a useful technology for certain functions. But it's not without its security risks. Because it lacks password protection, hackers can access NFC data, and they can even do this without you being aware.

It might seem like newly adopted technologies like NFC on phones only make them more vulnerable. However, on balance, phones now are more secure than ever before.