Author: Andy Schroder 2015-02-23 07:36:36
Published on: 2015-02-23T07:36:36+00:00
The discussion of the privacy loss that could occur during NFC communication is addressed in this email thread. The concern is that if there is someone passively monitoring the connection, privacy may be compromised. One solution proposed is to send a public key of the payee over the NFC connection in place of a session key and use that public key received via NFC to encrypt a session key and send it back via Bluetooth. This would initiate an encrypted Bluetooth connection using that session key for the remaining communication, which would prevent an eavesdropper from seeing anything. However, if the NFC connection is modified by an eavesdropper, then the payee would not receive payment, and the problem would be quickly identified because the customer receives no product for their payment and they notify the payee. It is also noted that the same problem would occur if there were a hardwired connection to the payment terminal, and those wires were compromised. Additionally, the need for a trust anchor required of the payer by the payee is questioned, as the payer may not care who they are as long as they get a payment received. Finally, the limitations of proximity attacks on NFC communication are discussed.
Updated on: 2023-06-09T17:53:01.863732+00:00