Researchers at the University of Alabama at Birmingham have created a verification mechanism that may eliminate the security weaknesses associated with NFC.
The new software — developed under director and founder of UAB’s Security and Privacy In Emerging Computing and Networking Systems (SPIES) Nitesh Saxena — is capable of determining the distance between a valid transaction reader and NFC phone. This effectively prevents theft of personal and financial information from mobile devices by specifically deterring “ghost and reader” attacks.
Ghost and reader attacks occur when an intruder intercepts a user’s account information during a legitimate transaction and relays it to his partner making a purchase at a completely different location. The user’s account is charged for both items and by the time the fraud is discovered it is often too late.
Such attacks have been studied and verified in Europe where NFC technology has been more readily adopted, but UAB’s solution seeks to prevent fraudulent activity by employing a simple solution; sound.
SPIES’ software solution prevents ghost and reader attacks by capturing a brief snippet of audio from the transaction’s surrounding environment confirming that the user’s phone is in the immediate vicinity of the reader.
Using two Nokia N97 phones — one as a simulated RFID tag and the other a RFID reader — Saxena’s team recorded audio samples at seven locations including retail stores and fast-food restaurants. The pilot recorded no false accepts and no false rejections, suggesting that the system may be a viable option moving forward.