The idea of tapping your phone at the point-of-sale to make payments is indeed quite appealing. Rather than carry around your credit/debit cards, it seems quite convenient to use NFC smartphones instead. Mobile payments, in general, are getting a huge response in many countries in Africa, Asia, Europe and especially North America. NFC mobile payments got a big boost this year with the launch of Apple Pay. With a big player like Apple coming into the field, mobile in-store payments are getting ‘legitimized’ in the US.
Other major players in this area include consortiums like SoftCard and MCX, financial powerhouses like Visa and MasterCard and technology giants like Google Wallet and PayPal. NFC based mobile in-store payments uses a form of RF communication at quite a short range. NFC does support encrypted communication to avoid eavesdropping from nearby devices. The short range of communication supports this purpose.
But newer security concerns have emerged in the form of “relay attacks” which can make NFC payments vulnerable. It works like this:
- Attackers are able to get access to your phone or credit card embedded with a contactless chip
- The attackers use their own phone to impersonate a store’s payment system
- The attackers pass the customer’s phone details to their partner’s phone to make purchases using the customer’s payment details
- Two phones act together to relay the communication making the store’s payment terminal and the customer’s phone think they are communicating securely
Here is an illustration of how the relay attack can take place:
Such new challenges are being addressed by the eGo Project, an initiative by Gemalto. A method, dubbed location bubbled, is being implemented to counter this issue. In this approach, the POS terminal and the device ensure that they are within a short pre-specified distance from each other. This requires the mobile phone to measure its indoor location at a precise level. This measurement could be that of the precise distance to the POS terminal or the phone comparing its own precise location to that of the POS terminal. The final location data is communicated with encryption to avoid a relay attacker from modifying the location data during the payment process.
Here is an illustration highlighting the use of location bubbles:
The eGo Project has made such precise distance and location measurements possible by use of the ultra-wideband (UWB) technology that is implemented on a chip. The UWB chip has been designed to make measurements at an accuracy of up to 10 cm. UWB also provides secure communication with higher bandwidth than Bluetooth. It transmits much shorter and sharper pulses that remain distinct across multiple paths of obstruction. In addition, UWB systems measure location based on the time of flight of the signals, and not based on the signal strength.
The market will eventually demand stronger security precautions for mobile in-store payments, given known risks such as NFC relay attacks. Location bubbles based on precise distance and location measurements, as are used by the eGo Project, will be a key method for keeping mobile in-store payments secure as adoption continues to increase.