Gerald Madlmayr

NFC Devices: Security and Privacy

The aim of this paper is to show security measures for NFC (Near Field Communication) use cases and devices. We give a brief overview over NFC technology and evaluate the implementation of NFC in devices. Out of this technology review we derive different use cases and applications based on NFC technology. Based on the use cases we show assets and interfaces of an NFC device that could be a possible target of an attacker. In the following we apply different attacks against the operation modes to show how applications and devices could be protected against such attacks. The information collected is consolidated in a set of threats giving guidelines on how to improve security and overcome privacy issues. This allows integrating NFC technology in a secure way for the end consumer.

Managing an NFC Ecosystem

Whereas several NFC trials are already established around the world, currently there are no mass rolls out yet. This is due to several technical as well as administrative issues that have to be dealt with before rolling out such a system. In this paper we present an approach for managing the B2B relations in an near field communication (NFC) ecosystem offering services based on card emulation like loyalty, payment and ticketing. Out of experiences made from trials we show which services are needed in order to manage such an ecosystem and to provide convenience to the user. Further more we discuss functional aspects of such an ecosystem, the parties involved as well as their benefit for participating. Although the technology already given allows a smooth interaction for the consumer, the infrastructure behind the scene is complex and requires the cooperation on different levels to ensure interoperability and a thriving contactless scheme to be deployed.

The benefit of using SIM application toolkit in the context of near field communication applications

NFC is one of the most promising technologies in handsets for business applications like ticketing or payment. Actually those applications require a secure store for keeping sensitive data. Using the SIM card as a removable secure element for proximity applications is one option. We will elaborate a comprehensive study on the requirements and impacts of using the SIM card as a secure store for proximity applications, presenting the pros and cons of combining NFC with the SIM card in handsets. Based on these facts we worked out a concept and necessary processes for an NFC ecosystem based on a SAM. Hence we line out two different approaches for managing applications in the secure element. Finally the effects of this implementation on mobile network operators and application providers as well as consumers are summarized.

Management of Multiple Cards in NFC-Devices

Near Field Communication (NFC) currently is one of the most promising technologies in handsets for contactless applications like ticketing or payment. These applications require a secure store for keeping sensitive data. Combining NFC with integrated smartcard chips in a mobile device allows the emulation of different cards. Representing each secure element with different UIDs poses several problems. Thus we propose an approach with a fixed UID dedicated to a Secure Element Controller (SEC). This approach allows an optimized backwards compatibility to already established reader infrastructures but also the communication in peer-to-peer mode with other NFC devices. Additionally the communication over peer-to-peer as well as the internal mode of secure elements at the same time is possible. This is approach poses a flexible alternative to the implementations proposed so far. In addition when there are to multiple, removable secure elements in a device it is ensured that the secure elements are only used by authorized user/devices. The SEC in this case handles the communication between the secure elements as well as their authentication.

Risk Analysis of Over-the-Air Transactions in an NFC Ecosystem

The instance of the platform manger (PM) also referred to as trusted service manager (TSM) is vital for the Near Field Communication (NFC) ecosystem. Instead of issuing physical cards, the platform manager distributes the smartcard applications to the NFC devices over a wireless network. Therefore the platform manager has to meet high security standards like those of an ordinary smartcard issuer, producing, personalizing and distributing smartcards. As the applications are loaded post-issuing, the certification of these applications, like credit cards, is not yet possible. But front up a certification of the PM as well as the process is needed, to ensure availability and integrity of the service. This is the base requirement for the certification of the distributed applets. The first necessary step for a fruitful protection profile is a risk analysis of the infrastructure and components involved from a security point of view, which is provided to the readers of this paper.

Components for an interoperable NFC mobile payment ecosystem

Although NFC technology for contactless chip cards (ISO/IEC 14443) is known for over ten years now, the market penetration of mobile phones and payment terminals integrating NFC is rather rare. From a technical point of view, there are no issues that prevent services that are based on NFC from being rolled out. The critical part is to put all the necessary players in place and form an interoperable ecosystem that allows all stakeholders to participate. In this paper we describe a system and the necessary processes for issuing open loop payment schemas on to mobile phones for the existing players. The focus of the concept is the implementation of a technically and commercially feasible system with minimal impact on the existing infrastructure. Hence the integration costs of taking part in the NFC ecosystem are lowered and therefore more attractive. During the analysis a finding was, there is no model for all markets/countries.

Secure Communication between Web Browsers and NFC Targets by the Example of an e-Ticketing System

Near Field Communication (NFC) is a radio frequency (RF) based proximity coupling technology allowing transactions within a range of up to 10 cm. Using NFC technology for transactions like payment or ticketing in the real world brings a great benefit in terms of time savings, usability and process optimization. Therefore we propose an e-ticketing system making use of this proximity technology especially focusing on security aspects of the system as well as the distribution of the tickets. While other systems rely on ticket distribution via SMS or home-printing a paper ticket, our approach is based on a browser plug-in in combination with a contactless RFID reader at the client side. This installation is used to transfer the e-ticket from a ticket server to the users PC client and to write the ticket over the proximity interface into the secure element of the NFC target. Thus an NFC target, a contactless smartcard or an NFC enabled mobile phone, can be used as a secure token. With this implementation we are able to bridge the gap between electronic internet transactions and the physical world in a secure way. Also the validation of the ticket at the point-of-access is based on this contactless technology. Our findings provide practical implications to implement web applications using NFC technology successfully.

Evaluation of SmartCard webserver as an application platform from a user's perspective

SmartCard Webserver (SCWS) is an application platform technology for services that runs within a tamper proof hardware, like in a smartcard chip. Due to upcoming application scenarios like using a mobile device as a contactless smartcard based on Near Field Communication (NFC), the use of tamper proof hardware in mobile devices is getting more popular. SCWS is an application server within a SIMCard. A web browser on the handset can be used to interact with servlets on the server. Beside user interface capabilities, SCWS also provides remote management features and a sound security concept for application access. In this paper we present the results of a survey of a user experience study regarding SCWS. The study focuses on the user experience and interaction with mobile web applications in comparison to natively implemented applications. We conducted 32 personal interviews with consisted out of a questionnaire and user experiments with a handset. Out of the results of the survey we give recommendations on the design and use of SCWS for mobile applications.

Near Field Communication

Near field communication (NFC) is a radio frequency (RF) based proximity coupling technology allowing transactions within a range up to 10 cm. With NFC, a key technology is on its way into the consumer’s most personal device, allowing the customer to use his devices for secure services such as payment or ticketing but also for service initiation or data exchange. Interoperability is one of the most important goals to be achieved prior to the roll out of devices and services, in order to satisfy the consumer’s expectations. This chapter deals with different operating modes and use cases that can be implemented with NFC technology with the main focus on mobile phones. This high level description is backed up with a look into the hardware architecture for NFC as well as the software stack in mobile phones. The chapter ends with a description of tags and tag formats for the NFC ecosystem.

Neue Dimension von mobilen Tourismusanwendungen durch Near Field Communication-Technologie

Die Verwendung von mobilen Endgeraten fur touristische Anwendungen hat in den letzten Jahren durch die allgemeine Verfugbarkeit von Mobiltelefonen und Diensten, sowie der Integration von LBS-Technologien, namentlich GPS, stark zugenommen. Vor allem ortsbasierende Dienste mit augmentierten Informationen haben sich in diesem Kontext als popular erwiesen. Doch mobile Endgerate konnten fur Touristen auch andere Dienste bieten. Durch die Integration von NFC-Technologie, die es erlaubt, das Telefon einerseits als kontaktlose Chipkarte zu verwenden und anderseits in ein RFID-Lesegerat zu verwandeln, eroffnet sich eine neue Dimension von mobilen Anwendungen fur den Tourismus. Die Optimierung von Prozessen und die einfache Interaktionsmoglichkeiten durch die Verwendung dieser Kontaktlostechnologie erhoht die Benutzerakzeptanz und die Frequenz der Nutzung. Der Bericht soll dem Leser die Technologie und Einsatzmoglichkeiten, die durch anschauliche Beispiele und Fakten aus Studien untermauert sind, naher bringen.