Journal 2 - Near Field Communication - Kevin Curran, Amanda Millar & Conor Mc Garvey, April 2012

Near Field Communication (NFC) is a specification for contactless communication between two devices.  NFC is based on the technology used for RFID and is standardised in ISO/IEC 18092. NFC is limited to a distance between the two devices of up to 10 cm.  NFC is intended to make it easier and more convenient to make transactions, exchange digital content, and connect electronic devices with a touch. NFC has the ability to read and write to devices, and so it is believed that they will have a wider use in the future than standard smart cards.Barclaycard introduced the UK’s first contactless payment system in 2007, with a transaction limit of £10. Due to the increase in demand, Barclaycard increased the maximum limit by 50% to £15 in 2010. Google has supported the incorporation of NFC into the Android 2.3 operating system and it is predicted that over the next three years the market for NFC chips will grow by a factor of four, and in 2011, 50 million NFC-enabled devices will enter the market. As users’ needs for technology increase, it makes sense that another function to add would be the ability to use the device to make payments, and that is where NFC comes in. Having a mobile phone fitted with an NFC chip will enable users to send and exchange data just by touching, or bringing together the two devices. NFC applications can be stored on the phone: on the SIM card, within the smart card or even within an area of the phone’s memory.

Problem Statement

It is estimated that the market in NFC devices will grow exponentially over the next few years, and with this comes the always-present issue of security. According to the ISO standard, NFC is not encrypted. This is to make it backward compatible with RFID technologies. Encryption may be implemented with future NFC applications but only as a best practice, not as a requirement. The wireless signal generated by data transfers can be picked up by antennas, modified, and dispatched. This makes NFC inherently vulnerable to this kind of attack. With a disguised device placed close to the two NFC devices, it would be able to record all NFC activity in a given time and be collected at a later date. Fraudsters can take advantage of NFC tags in public places by removing the legitimate tag and replacing it with a tag directing the user to a bogus website of a premium number set up to the fraudsters’ account. there is no 

Objectives of the research:

—  The objective of this research is to Analyze the possible uses of NFC and the risks associated with carrying out transactions over a wireless network.

Literature Review

NFC is an international accredited standard, which means that in the future it will become a worldwide-recognized technology with a multitude of uses.  In December 2003, NFC was accredited with the standard ISO/IEC 18092 (NFC IP-1). This standard specifies the interface and protocol for simple wireless communications between close-coupled devices that communication with transfer rates of 106, 212 and 424 kbps [7].  In 2005, NFC also earned a further internationally accredited standard ISO/IEC 21481. Secure NFC combines smart-card technology with NFC technology to enable storage of personal data in a secure manner. This means that data can be encrypted, with the key being stored securely in the memory of the device and the NFC device supports the authentication. This secure storage will be required to store personal data, encryption keys, electronic money etc., and so it is an important aspect of the NFC. As more phone manufacturers start to include NFC chips in their mobiles, the need for applications will increase. Already marketers are looking at the possibilities of using the NFC interface alongside their traditional marketing methods such as posters. NFC can also be used to transfer tokens at airports, which would eliminate the need for boarding cards. The passenger would check-in using their mobile and then re-confirm by swiping their phone again at the departure gate. There is also the possibility of NFC chips being able to store biometric information, which is becoming more widely developed for security at airports. Devices with applications that use NFC technology for payments will help consumers pay for products and services more easily, and mobile developers are teaming up with financial companies and service providers to provide this service in the near future.  NFC is safer than longer range technologies but there are still security flaws that, if not addressed, can be exploited. Using a wireless communication protocol it is inevitable that the data will be prone to attack such as: Eavesdropping: The two NFC devices communicate using radio-frequency waves. This means that an attacker could use an antenna to intercept the transmitted signals. No special equipment is required to receive or decode the RF signals, and so it should be assumed that this equipment is available to attackers. Data Corruption: Rather than eavesdropping on the communication, an attacker might instead try to modify the data being transmitted. The attacker may do this to disrupt the communication by preventing the receiving device from being able to understand the data that is being transmitted from the active device. Data Modification: The purpose of data modification is to change the data that is received rather than preventing the transmission as with the data corruption attack, because the attacker wants to make changes to the data that is being transmitted. Data Insertion: The attacker inserts messages into the data exchanged between the two devices, but if the messages overlap, then the data becomes corrupt and the communication fails. Man-in-the-Middle Attack : In this type of attack is the two devices are tricked into believing they are communicating directly with each other, when in fact they are communicating through a third party. Another aspect to protect against is ‘Walk off’. Walk offs are when the device user lifts the device and walks away from the transaction while leaving the transaction connection open. Usually, when the connections are idle for an amount of time the connection terminates automatically, but the time window where the connection is still open, it can be exploited.

Future Implications of NFC

Google Wallet:

—  Google Wallet is an Android app that makes your phone your wallet.

—  It stores virtual versions of your cards in your phone.

—  Google hopes that eventually our loyalty cards, gift cards, receipts, boarding passes, tickets, even our keys will be seamlessly synced to our Google Wallet.

Windows 8:

—  It will include built-in NFC Technology. Windows 8 will include an option known as tap to share.

—  During its Build conference, Microsoft demonstrated the tap-to-share application by means of an NFC-enabled tablet computer loaded with an early version of Windows 8.

—  chip manufacturer NXP provided the NFC technology used on Windows 8- based tablets distributed at the conference, enabling the computers to not only read and encode NFC RFID tags, but also support peer-to-peer and card-emulation functions specified by NFC standards developed by the NFC Forum..

Conclusion:

NFC is a very short range protocol which is backward compatible with the RFID infrastructure, because of its very short range it is inherently secured from most types of remote attacks. The procedure of establishing communication is very familiar to human’s natural way of doing things, you want something to communicate, touch it together. Active NFC devices could have a viable future in commerce, with the beginnings of contactless NFC payments starting to show today with an NFC district in Madrid created and with a proposed number of 60,000 merchants in London to accept NFC for their premises in time for the London 2012 Olympic Games. The fact that NFC is also interoperable with existing smartcard systems should also ensure that this technology would be more easily integrated into existing infrastructures, such as the Transport for London Oyster Card system. With any digital transaction, there will always be people who try to manipulate, disrupt or misuse the data that is transmitted and so users will no doubt initially be wary about the security of their personal data that is stored on the NFC devices.  Privacy and security will always be a concern for users where personal and sensitive data are involved. We will have to rely on the application developers and handset manufacturers, to ensure that any transaction carried out via a NFC-enabled device is as secure as possible. NFC-enabled devices have great potential. NFC is much quicker and more user friendly and hence could reach a wider user base.  Using them for paying for a car parking ticket on exit or for door entry systems in the near future seems almost inevitable. The original paper can be found in the following link.

http://dl.dropbox.com/u/5320385/Near%20Field%20Communication.pdf

References

—  [1] NFC Forum. (2011). About NFC. Retrieved 04 10, 2011, from NFC Forum: http://www.nfc-forum.org

—  [2] NFC World. (2011). About NFC. Retrieved 04 10, 2011, from NFC World: http://www.nfc-world.com

—  [3] Conneally, T. (2010, 12 23). As-NFC-enters-the-mass-market-so-too-should-NFC-security. Retrieved 04 09, 2011, from Beta News : http://www.betanews.com/

—  [4]  http://public.cenriqueortiz.com/nfc/elements-nfc-jan2009-CEnriqueOrtiz.jpg

—  [5] Mobile Phones History. (2011). Retrieved 04 05, 2011, from Phone History: http://www.phonehistory.co.uk/

—  [6] Alcatel Lucent. (2011). Historical Timeline. Retrieved 04 06, 2011, from Alcatel Lucent: http://www.alcatellucent.

—  com/

—  [7] ISO. (2004, 04 1). International Standard. Retrieved 03 24, 2011, from Webstore: http://webstore.iec.ch/preview/

—  info _ isoiec18092%7Bed1.0%7Den.pdf

—  [8] NFC In Action. (2011). Retrieved 04 09, 2011, from NFC Forum: http://www.nfc-forum.org

—  [9] Clark, S. (2011, 02 27). Transport for London confirms plans to accept contactless cards in time for olympics.

—  Retrieved 04 07, 2011, from NearField Communiations World: http://www.nearfieldcommunicationsworld.com/

—  2011/02/27/36204/transport-for-london-confirms-plans-to-accept-contactless-cards-in-time-for-olympics/

—  [10] Hill, J. (2011, 04 04). The question of security with nfc based payments. Retrieved 04 08, 2011, from Gadgetell:

—  http://www.gadgetell.com/tech/comment/the-question-of-security-with-nfc-based-payments/

—  [11] http://www.google.com/wallet/

Journal 1 - Analysis of the Latest Trends in Mobile commerce using the NFC Technology - Mateja Jovanovic & Mario Munoz Organero ,May 2011.

Introduction

Mobile commerce (m-commerce) is already being used and implemented as an alternative to many e-commerce services. Mobile commerce is a form of electronic commerce that specifically focuses on commerce by the use of Mobile Devices ( Dwain Chang and Mandy Chin,2007). This paper is focused on  Proximity Payments using the relatively new Near Field Communication (NFC) technology.  Visa and MasterCard have already entered this market with contactless payment cards like PayPass and WavePay.  Many banks, mobile network operators, vendors and independent companies are already implementing this technology and doing a number of trials. NFC (Near Field Communication) is a high frequency technology used for proximity payments in the m-commerce field. It is a wireless communication technology; the proposed distance between devices is around 3-10 centimeters. The NFC technology is designed for usage in mobile phones. The device can communicate with existing ISO/IEC 14443 smartcards and readers, and with other NFC devices. It is a “read and write” technology, and it allows the high-speed transfer of data between enabled devices. NFC equipped device can operate in two modes: Active and passive, depending on whether it generates its own field. Active devices have a power supply; passive devices do not. Three modes of NFC are Card emulation mode, reader mode, and P2P.

Problem Statement

·         Lack of a clear standard across the industry.

·         Interested parties entering joint ventures with biggest profit possibilities, regardless of possible technical inferiority of their solution.

·         Merchants are not willing to buy new payment terminals and offer possibility of NFC payment to customers until there is a critical customer mass.

·         Users are not eager to purchase new NFC Mobile Devices until enough Merchants are offering NFC payments.

·         Inconvenience of having Mobile Device as a single payment solution because of battery issues and possible call or other mobile network action in progress when payment is required.

Objectives of the research

The aim of this research is to propose new mobile commerce proximity payment architecture, based on the analysis of existing solutions and current and future market needs. The idea is to change a Mobile Device into a reliable and secure payment tool, available to everyone and with possibility to securely and easily perform purchases and proximity payments.

1. To Propose a new architecture(s) and a clear standard, based on the advantages and disadvantages of the existing systems.
2. Analyze the possible security issues and propose how to overcome them.

Literature Review

Basic form of proximity payments is the category of off-line micro payments. They represent the first step towards reaching more complex, macro-payment online systems. Secure Element stored in the device prevents non-authorized users access, and classical Public Key structure allows only registered parties transfers.  There are three Secure Element (SE) implementations that are secure. NFC SE in sim card, Embeded SE in the device, and External Se like NFC sticker. Mobile Device has NFC software, which consists of Java ME program written for MIDP (Mobile Information Device Profile), MIDlet, that runs on phones OS, and one or more Java Applets stored on the secure hardware element.  Payment and ticketing applications are stored in a Secure Element in the device. Secure Element is a smart card chip, where multiple applications could be stored. Secure Element has a purpose to only accept software from trusted parts that have the private key that allows authentication. The entire process requires only one network connection.  Once the issuer registers users phone number and the public RSA key, the X.509 certificate for that public key needs to be issued and sent to the Secure Element of the Mobile Device. Most convenient solution for mobile network operators is the NFC chip on a SIM card, because it means teaming up of a network operator and any other party, or possibility of “renting” a place on multi-application SIM/UICC. Some of the security Issues faced by NFC are

·         Eavesdropping, where the third party receiving a signal using the antenna.

·         Unwanted activation, which is somewhat similar to eavesdropping. Third party attacker tries to activate the card without the owner’s knowledge.

·         Data Corruption, or modifying the data which was transmitted using NFC device using the valid frequency.

·         Data Modification, where the attacker is sending valid, but altered data to the receiving NFC device .

·         Data Insertion, where attacker tries to insert a new message into a NFC communication.

·         Man-in-The-Middle-Attack, where two parties who want to establish communication are tricked into communicating with or  via the third party which is therefore enabled to record the entire conversation .

·         Denial of service, where the attacker tries to interfere with the RF field, in order to prevent the transaction .

Proposing new Architecture

The author proposes three architectures in the article and we will discuss about the same.

First Architecture:

     This architecture represents the next step from the current credit card payment architecture. From users point of view, the only difference will be that their Mobile Devices will play the role of the credit card. In the ideal case, Mobile Device manufacturers would include only NFC chip and the antenna to their Mobile Device; SE will be stored preferably to SIM/UICC. Credit Card Companies role stays similar like in current credit card payment system, with added responsibility of authenticating Customers Mobile Device using the applet on Secure Element. The main difference between this mobile payment architecture and existing model is that user needs to turn the application on the Mobile Device and perform the authentication procedure before the payment.

Second Architecture:

     In this model, Credit Card companies have a less important role. There is another player, Trusted Third Party service, which makes the architecture more secure and global, but also more complex. This might lead to the increase of transaction fees. Focus in this particular architecture is exactly on the Independent Trusted Third Party that has the role of the neutral trusted service. There are two possible solutions regarding the party that performs this role, Mobile Network Operator or the Independent Trusted Service Manager (TSM).In this architecture Mobile Device manufacturer also embeds the NFC chip and the antenna into the device, while the Secure Element (SE) is stored into SIM/UICC card provided by MNO. NFC Payment Application (MIDlet) is to be provided by third party trusted service, including download and life cycle.

 Third Architecture:

Third option represents the architecture with an even bigger role of Mobile Device manufacturers and designers of Operating Systems (OS).  The possible players in this architecture are Apple, Nokia, Google with Android OS and Samsung and HTC as biggest supporting device manufacturers and RIM (Research in Motion) with Blackberry devices. The communication between mobile carrier and Online Service is not necessary in this architecture. MNO will only play the role of providing Internet connection to the Customers Mobile Device in this architecture. This means that connection between Mobile Device and Online Service (Interface 3) is physically realized via Interface 1.      The most important player is the company that owns the online store where customer has an account and connects using the NFC Mobile Device, which is in this case OS designer company. Customer needs a Mobile Device equipped with NFC chip and with online service application and a valid account in the online service connected to his credit card.

Conclusion

The aim of this research was to propose new mobile commerce architecture using NFC technology, based on the analysis of existing solutions, encountered problems and current and future market needs. NFC mobile payments have a lot of potential, but the lack of a clear and global standard in the industry is considered one of biggest issues, slowing down the mass-market penetration.  Three entire system architectures were proposed as possible final industry standard. payment system upgrade by Credit Card companies to enable mobile payments, introduction of independent Trusted Third party, and Mobile Device manufacturers and OS designers making an Online Service handling NFC payments connecting users mobile phones directly to their bank accounts without Credit Card companies. Each of the Architectures brings a level of progress compared to existing solutions, most of all because they introduce a new clear and global architecture standard and clearly defines the roles of all involved parties. The architecture that will predominate the mobile payments market will be a technically inferior one, but introduced by joint venture of companies strong enough to impose it regardless of the competition. Further work and improvements will be possible once big players, such as Mobile Device and OS manufacturers and Credit Card companies make the move. The original paper is available at 

http://dl.dropbox.com/u/5320385/Analysis%20of%20Latest%20Trends%20in%20Mobile%20Commerce%20using%20NFC.pdf

References

—  [1] Dwain Chang and Mandy Chin, “Will mobile television be a success?” Sep. 2007.

—  [2] Martin Newman, M-commerce - Now it really can be called a route to market, Aug. 26th, 2009.

—  [3] John Leyden “M-commerce - security risks exposed” June 2010

—  [4] Australian C&C Commission “Shopping on your mobile (m-commerce)” Aug. 2009

—  [5] Scarlet Schwiderski and Heiko Knospe “Secure M-commerce” Apr. 2008

—  [6] Jason Ankeny “Doubts in m-commerce security”, May 2009

—  [7] Ernst Haselsteiner and Klemens Breitfuß “Security in Near Field Communication (NFC), Strengths and Weaknesses” Philips Semiconductors, June 2010

—  [8] AT&T, Verizon, T-Mobile joined venture - Isis mobile commerce network Web page, Jan. 2011

—  [9] Lorenzo Stranges, Aymeric Harmand, Jean-Marc Meslin “Oberthur Technologies new SIM-centric solution for NFC mobile payment” Aug. 2008

—  [10] Finextra, independent information source for financial technology community web page, Oct. 2010

—  [11] Gauthier Van Damme, Karel Wouters, Hakan Karahan and Bart Preneel “Offline NFC Payments with Electronic Vouchers” Aug. 2009

—  [12] European Payment Council “White Paper – Mobile Payments” First edition, June 2010

—  [13] Prof. Min So Kang, Hanyangcyber University “NFC Technical Status and Application” RFID/USN Conference & International Exhibition, Seoul, Nov. 2006

—  [14] ECMA International, “global ICT and Consumer Electronics standards” Revision 1, Dec. 13. 2010

—  [15] Heikki Ailisto and the Finish ITEA2 project team, “Physical browsing with NFC technology, VTT Research 2400” Finland, Oct. 2007

—  [16] EMV, global standard for credit and debit payment cards web page

—  [17] Jeff Fonseca “NFC Market Update and Technology Overview” NXP Semiconductors, Nov. 2009

—  [18] Smart Card Alliance Contactless and Mobile Payments Council White Paper “What Makes a Smart Card Secure?” Oct. 2008

—  [19] NFC Research Lab in Hagenberg, Austria Official Web page, http://www.nfc-research.at/

—  [20] Near Field Communications Forum Web page

—  [21] IBM Electronic payment processing for Web businesses, Feb. 2002 

NFC in Public Transport (White Paper)

Today, various public transport agencies in Europe, the United States, and japan have piloted and implemented the use of NFC-enabled mobile phones. NFC is used in the context of transport ticketing in gateless systems to enable a simple start-up program. Multiple applications, including online payment and over-the-air ticketing, have also been enabled by the phone. Multiple applications, including online payment and over-the-air ticketing, have also been enabled by the phone. Now what is NFC? NFC is a standards-based, short-range wireless connectivity technology that enables simple and intuitive two-way interactions between electronic devices. With NFC technology, consumers can perform contactless transactions, access digital content and connect NFC-enabled devices with a single touch.  NFC simplifies setup of some longer-range wireless technologies, such as Bluetooth and Wi-Fi. It is also compatible with the global contactless standards (ISO 14443 and/or ISO 18092), which means transport agencies that have already deployed contactless programs enjoy a built-in advantage, as their equipment may readily interact with NFC enabled mobile devices and provide richer services. Now let us see the benefits of using NFC for transport. NFC-enabled phones have great benefits over paper tickets. Tickets stored virtually in phones are inherently more durable, less likely to be lost, and are perceived to be more environmentally friendly than paper versions. They are more convenient than plastic cards, with no fumbling in a wallet for the right card.  NFC-enabled phones can hold multiple payment applications. Travelers can tap information tags embedded in smart posters to download train schedules or information on nearby attractions, enhancing the passenger’s travel experience as well. NFC can also be incorporated into readers to enable services such as renting bicycles or opening storage lockers. Now let us discuss about the implementation of NFC in public transport.

`        

NFC used for car parking & NFC used for exchanging Information.

NFC used by a lady to board a public transport in china.

Many cities today already have automatic fare collecting systems using gates and smart cards; e.g., London, Madrid, and Paris. These are called as gated systems. The transport operator arranges with the NFC-enabled phone provider to support the installation of that city’s transport application, such as Oyster in London or Calypso in Paris, on the secure element in the phone. multiple city transport applications can reside on the same secure element in an NFC-enabled phone depends on the arrangements that the various transit application owners have set up with the owner of the secure element. The implementation of the NFC ticketing system is similar to today’s smart card system. The advantage of using NFC-enabled phones is the capability to automatically load tickets or value over the air using the mobile network. Examples of NFC used in public transport.NFC applications have been implemented in public transport programs in a number of countries, involving a variety of ecosystem players and transport modes. This section briefly highlights a few successful programs.

1. London – Testing Transport Ticketing on NFC Mobile Phones:

In 2007, a trial of NFC for mobile transport ticketing and small payments was carried out in London – the largest such trial up to that time. A collaboration that involved the city’s transport authority Transport for London (TfL), phone provider O2, Nokia, Barclaycard, and Visa,

2. Germany – Touch&Travel Pilot Program:

Touch&Travel is an NFC-based ticketing pilot project jointly conducted by Deutsche Bahn, the German rail authority, and its partners Vodafone, Deutsche Telekom and O2 Germany, with support from industry as well as local transport companies. The pilot project covers long-distance trains between the cities Berlin, Cologne, Dusseldorf and Frankfurt, as well as selected regional trains, the metro and trams in Berlin, and all means of transport -- including busses and a ferry -- in Potsdam.  The projects started in 2008, and currently about 3,000 participants are using the service on a frequent basis. To use the system, the customer taps his/her phone to the Touchpoint at the departing station. The Touchpoint contains a passive NFC tag that securely holds information about the location.  The location information is sent by the phone, via the mobile network, to the back end of the Touch&Travel system, which returns a checkin record to the customer’s phone. This record is stored in the application on the SIM card, and it can be accessed by an authorized conductor with a mobile control device during the customer’s travel. At the conclusion of travel, the customer needs to check out of the system, which he/she accomplishes by touching a Touch point at the destination.

The original paper can be found at this link:

http://dl.dropbox.com/u/5320385/NFC_in_Public_Transport%20-%20White%20paper.pdf

References:
http://www.nfc-forum.org

—