Information security officers may have a new wireless worry to add to their lists: an RFID technology that will appear in half of new mobile phones in the United States by 2009. That's if the predictions of one analysis firm, Oyster Bay, N.Y.-based ABI Research, are correct.
The new technology, called Near Field Communication [NFC], uses RFID chips and readers with short-read ranges, often about 10cm. It will share some of the weaknesses of other wireless technologies, and may have a few of its own, according to some researchers and consultants.
But NFC also offers security advantages to enterprises, particularly those troubled by lost and stolen company credit cards and leaks of competitive information.
If security managers can encourage the responsible use of NFC, enterprises should
"Educating end users is the most difficult thing," said human-computer interaction researcher Nicolas Nova at the Ecole Polytechnique Federale de Lausanne in Switzerland. "I am not so sure that a large group of users will have enough time, or be willing enough to understand [how NFC works]."
Phones with NFC -- Nokia and Motorola have both introduced devices supporting the technology -- are designed in part to serve as payment devices. Each NFC device has the potential to replace wallet full of credit cards, which is a liability if it falls into the wrong hands.
"Which would you rather lose, your wallet or your phone?" asked Fran Rabuck, president of Rabuck Associates, a Philadelphia-based mobile technology consulting firm. No one can cancel all of his credit and bank cards in less than an hour, he said, but a user can disable his lost or stolen mobile phone with one call to his service provider.
Promoters of NFC hope its users will be able to make wireless payments in convenience stores [pilot tests are being conducted in Florida and Texas], download trailers from RFID-chipped movie posters, or pick-up conference show badges at special kiosks -- by using phones with RFID readers and chips built into them, or attached as shell accessories.
NFC has promising business applications, too, in areas such as identification, security and presence awareness. Enterprise workers could use NFC devices to enter secure areas, for example.
NFC, said Nova and Rabuck, may also be more secure than other wireless technologies, such as Bluetooth, which broadcast their data promiscuously, and at greater distances than NFC. That is because NFC phones are only intended to make connections with authorized devices at close range. NFC's RFID technology typically complies with standards such as ISO/IEC 14443, the "contactless chip" standard, which calls for a read range of 10 centimeters or less.
That short read range should mitigate the risk of eavesdropping by other reader devices, said Nova, who added that the NFC devices he's tested, unlike the case with Bluetooth devices, must point directly at their intended targets.
But most important, said Nova, "[NFC] security is a matter of accepting or not accepting a message, or ping, from another device." It's important that users know at all times the status of their devices, such as whether they are configured to automatically connect with nearby NFC devices, he said.
Rabuck said he imagines some unique threats to NFC, as RFID chips and readers become more ubiquitous. He calls one such threat "billboard" phishing: identity thieves could conceivably paste posters, with phony RFID chips embedded in them, over turnstiles, kiosks and posters. "How do I know that what I'm touching (communicating with via NFC), is legitimate, and not an overlay?" Rabuck asked.
Security officers now have the opportunity to help shape security protocols for NFC, which may affect device authentication and other issues. A spokeswoman for the NFC Forum, an industry standards group, said it is forming a security workgroup, and welcomes enterprise participation.