Near Field Communication (NFC)
NFC uses both a passive and active mode between the initiator (sender) and the target (recipient). In sending a message the initiator is in active mode (generating an RF field) and the target is in passive mode (receiving the RF field). Each device changes roles depending on whether it is sending or receiving.
When NFC devices communicate they use omni-directional RF waves. A snooper antenna will also receive the transmitted signals. The offset to this is the low power of NFC communication is generally accomplished over short distances, about four inches. Passive mode is preferred for security, but active mode may be required depending on the actual distance between intended sender and receiver. The counter is that the snooper can reduce, or overcome, with specific antenna geometry, position from the transmitter, and equipment more powerful than standard.
A miscreant may try to alter transmitted data so that the intended receiver is not able to understand the data sent by the other device. The offset is that jammers are generally of higher than expected power. If the NFC device checks the power level and finds it too high the communication is terminated.
This is where a miscreant attempts to injected some data into the stream. The data is formatted properly and would belong there but the data is not from the sender so it is counterfeit. Offsets include power detection as described under Jamming above.
In a normal situation the consumer communicates with the merchant. A Fake Middleman gets in between pretending to be the merchant to the consumer, receiving the consumer’s information, perhaps modifying it, then passing it on to the merchant. Similarly, receiving information from the merchant, perhaps modifying it, then passing it on to the consumer. Offsets include complexity given the initial negotiation between the consumer and the merchant includes frequency and other exchanges. The presents of two senders should be detectable.
The standards are technical enough to make your eyeballs roll and your brain melt down. The International Standards Organization (ISO) and International Electrotechnical Commission (IEC) standards are
ISO/IEC 14443 (series) regarding “Proximity Cards” Identification cards — Contactless integrated circuit cards — Proximity cards — Part 1: Physical characteristics
ISO/IEC 18000-3:2010 also bears on NFC – Information technology — Radio frequency identification for item management — Part 3: Parameters for air interface communications at 13.56 MHz
Here is a good place to start http://www.NearFieldCommunication.org/technology.html and for much more see the NFC-FORUM
NFC Range Extension
The range of NFC is limited by antenna physics. Standard equipment with single loop antennas can have a range of 3 to 4 centimeters (cm) and multi loops can reach 20cm or so. Want a range of 90+cm (36″) or so? Available http://flomio.com/shop/nfc-readers/nfc-patch-kit/ on line.
More on NFC Weaknesses:
6/21/2011 Android NFC bug
7/25/2012 NFC hijacks cell phones
NFC-enabled phones can be hijacked when in close proximity to bad guys. From Ars Technica
8/13/2012 Charlie Miller explores NFC attack Surfaces
9/12/2012 Apple not interested in NFC
Apple not interested in NFC from AllThingsD. This was as of the iPhone 5. They changed their mind later.
9/13/2012 No Apple Wallet
Apple not interested in a wallet from BankTech
9/24/2012 NFC Hack gives Subway rides free!
Subway riders can use Android smartphones to replenish their fare cards without paying. Thi was demonstrated at the EUSecWest security conference in Amsterdam by security researchers who developed an application to allow travelers to read a fare card’s balance and to then write the stored data back to the card, while resetting the balance to get more rides. San Francisco (a test city) was informed of the vulnerability December 2011 and it still exists as of September 2012. Source: Sophos
4/27/2015 NFC Human Implantation
Seth Wahle, an engineer at APA Wireless, implanted an NFC chip intended for use in cattle in the web between thumb and forefinger of his right hand. By no means an electronic powerhouse, the chip has less than 1K of memory, but was programmed to ping phones requesting a link. The link gets opened and transferred malware compromises the phone. Now a remote computer can use the malware to control the phone. (source)
Certainly the present implantations have limits, but it was just three years between demonstration of cell-tower-spoofing to the general femtocell hack and another year before fake cell towers appeared on Pennsylvania Avenue in Washington, D. C. and events seem to move faster now.
7/20/2015 EMV/NFC weaknesses from BlackHat 2015
In Peter Fillmore’s Overview of Contactless Payment Cards, (9 page PDF) and an associated slide presentation (60 page PDF) titled Crash and Pay: Owning and Cloning Payment Devices he reviews the basics of EMV transactions and attacks, including NFC weaknesses (see slide 49) and that includes ApplePay.
Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.