Everyone seems to be making a big deal over Google Wallet and other NFC applications. I have a Galaxy SIII, but I keep my NFC disabled at all times. Aside from the fact that the relative newness of the technology means that almost no one I know has an NFC capable phone, I also feel like Google Wallet is a security nightmare.
My FPGA Synthesis TA at Hopkins was on a team that cracked the Speedpass encryption. I know it can be done. In my mind, RFID and similar tech is a security hole you can drive a truck through. Maybe this just makes me part of the tinfoil hat crowd; I have no problem with this.
But with everyone talking about NFC and how great it’s going to be, I just don’t get it. I save myself 2 seconds of effort by plopping my phone on some reader to pay for something, rather than pulling out my credit card and swiping. In return, I leave my payment credentials vulnerable to any asshole with a laptop and a reader (or even a hacked NFC capable phone). It just doesn’t seem worth it to me, and I don’t get the excitement for it.
Is this just another example of “technology because we can” or is there actually something special about NFC that I’m missing?
I have wondered the same thing. All that I have seen that would be useful is making payments with the phone. I think that futurists envision a time when you don’t need to carry a wallet because you won’t need cash or credit cards anymore.
A lot of people were disappointed that the iPhone 5 didn’t have NFC. Apple’s official response was that there weren’t really any significant problems that NFC solved.
Six or seven years ago, an NFC IC vendor did a presentation to my team. One of the arguments was that you are more likely to notice your phone is missing than that your wallet is missing. So he claimed that increased security.
Another thought - not from that presentation - is that security can be built on layers that use NFC for transport. Sure - a primary rule of security is to prevent access. But if you’re willing to enter a credit card number on the internet over a secure protocol, you might be able to use a secure protocol over NFC as well.
While it’s possible the encryption that Google Wallet uses can be cracked, it’s still unlikely that you’ll ever have money stolen from you because of it.
For one, the type of NFC Google Wallet uses requires an active interface, i.e. another piece of electronics. It’s not like someone could just set up a passive NFC tag that read your cred card number.
Two, you have to hold your phone over it for a few seconds, and it has to be unlocked. So if it’s just in your pocket, even if someone walked by with a cobbled-together electronic NFC stealing device, he couldn’t get any info. And even if the phone came unlocked from the button bumping on your leg in your pocket, or something, he would have to hold this device over your pocket for a few seconds…I think you’d start to suspect something.
As with pretty much every form of payment out there (cash, checks, credit cards, online, etc…) the biggest security hole is always the user doing stupid things. Don’t use Google Wallet at some small, sketchy-looking convenience store. Don’t make online payments to some weird, foreign website that isn’t HTTPS (secure,) don’t give your wallet to the “wallet inspector.”
Ok, fine, you still don’t want to use Wallet. That’s ok, it’s your money, your credit cards, use them however you want. But NFC has other uses. Sharing contacts, playlists, etc… between two phones. Reading a small amount of info from an NFC tag. Similar to what QR codes can do, but quicker because you only have to turn on and unlock your phone, you don’t have to open the barcode reader app. But you can even take it a step further: you can program your own NFC tags to do simple tasks. For instance:
Have a tag at home near your nightstand, or something. Scan it (again, as easy as just unlocking the phone,) and it can automatically go to silent mode, set your alarm, even get set up to do automatic text replies saying something like "I’m asleep…stop texting me! :p.
Put one in your car, it gets scanned, and now it turns off wifi, turns on Bluetooth to connect to your stereo, opens up Pandora, or your music or podcast app and starts playing, etc…
Have one in your office, scan it, and it goes to silent/vibrate mode, maybe turns off the cell connection if, like me, you get no signal in your office, and turns wifi back on.
However, that article did point out a potential security flaw:
But again, the user should be good about browser security. You should set your web browser to only run apps like java when you say so. You also shouldn’t be scanning random NFC tags you see just anywhere, either.
Ah, I didn’t realize that the phone had to be unlocked to do an NFC scan. I thought by leaving it on, it could just turn on whenever while it was in my pocket or wherever.
The NFC tags thing does sound useful, though a lot of that functionality can already be accomplished with Tasker or similar apps. However, I’ll admit that NFC tags do provide a useful trigger; I could see myself keeping an NFC tag in my car to make up for the fact that I no longer have a car dock for Tasker to trigger on.
The Google Wallet thing also stems from a concern over the amount of damage potential from a compromised phone. That’s why I try very hard to keep financial info and related accounts off my phone. Using Google Wallet just seems like another vulnerability.
So, I’ll give that NFC tags may not be the security nightmare I feared they were, but neither has anything I’ve seen so far suggest that it’s the next big thing, either. I mean, we’ve got people complaining about phones because they don’t support Google Wallet, or don’t support NFC at all. I can see how it’s a nice-to-have, but it’s not a dealbreaker for me, either.
Still, you’ve opened my mind, so thanks
I’d still like to hear some other opinions on it, of course.
I just got some tags and I think I’ll find them useful. So far I put a tag on the side of my alarm clock so when I touch it with my phone it sets my phone alarm via a Tasker task. This task not only sets the alarm but when the alarm goes off it also turns my bedroom light on, reads the forecast and has the TV display an outside camera.
Im going to put one on either the desk or my computer to trigger a file sync with the phone.
Other than that, I’m looking for ideas. I have some home automation I could use them with but I don’t see any reason to. I could open the garage door by touching the phone to a tag, which would be really cool, but I can just tap an icon on the phone or use the keypad on the house instead. No need for a tag.
I don’t use Google Wallet although it seems cool. I imagine the stores near me would be confused if I paid with my phone.
The big deal is that Google can take a cut of the many billion dollars a year that the CC processing companies make. Eventually cutting out people like Mastercard and Visa, and making that money for themselves.
But I thought that Google Wallet used a person’s credit card information to make a transaction. When you pay with Google Wallet, it just charges whichever credit card you have assigned as your main card. Unless they overhaul their service, wouldn’t Google just be taking a percentage on top of what the CCs charge?
Yeah, I think it’s a technology-because-we-can issue, and the people making them haven’t thought enough about the security aspects.
Not long ago, Chase started issuing debit cards with a radio chip in them. Days later, the news was reporting methods used by thieves to steal funds: Wave a device near someone’s purse and execute a Point-of-Sale transaction for hundreds. My wife and I went to the bank the next day and demanded chip-less debit cards.
In my Junior year of high school (early 80’s) as part of my FutureWorld project in a history class, I proposed a cash-less society – no street robberies, no tokens to lose, paper trails on every transaction so you know who’s ripped you off (and illegal purchases are tracked and evidentiary). My classmates rejected the idea as unfeasible. :dubious:
—G!
Thirty golden pieces
For the Judas Kiss
What’s a nice boy doin’
In a place like this?
. —Rik Emmet (Triumph)
. Never Surrender
. Never Surrender
A worse prank than the one mentioned by bouv is talked about here. Basically, you can tell some Samsung phones to factory-reset themselves with a link that can be opened via browser, QR code, or NFC tag.
Yeah, I just read about that. At least Samsung has acknowledged it and might send out a patch soon. It only works with the stock browser, though, so anyone using Chrome, Firefox Mobile, Opera Mini, Dolphin HD, or any other android browser that isn’t the stock Samsung one are fine.
Though from sites I’ve read, it’s been hit and miss whether they phone actually dialed the number automatically. And right now there’s nothing a hacker can do to get any info from the phone…yeah, a few jerks out there will gladly made a webpage that just wipes people’s phones, but at least you won’t be out money from them hacking into Google Wallet or anything.
Not only does the phone have to be unlocked, you have to enter your password in order to activate Wallet. Upon doing so, you have a pre-specified period of time to use Wallet, before it re-locks itself. You can also increase or decrease this time, depending on your preference. So even if you unlock the phone and somehow lose it, someone would have to use Wallet within, say, the five minute window you had specified for use, before they’re locked out…followed by your phones security.
The added bonus is that you can remotely uninstall the app or data, as well as track purchases, including geo-tags if you choose. This may or not may be helpful, but you will have an immediate trail of whats going on, at the very least.
I’d say its less vulnerable than losing your credit card, in any given moment. Should that happen, it’s essentially a race between you and the thief, in order to deactivate/dispute charges. If someone knows your area code (which is rather easy to guess, given most people use their CC’s in the city they live), they can do a lot of damage, rather quickly. A phone with two layers of security, at the very least, is certainly safer.
Interestingly enough, due to the relative obscurity, I’d say its even less of an issue, lol. If you lose your phone, you’re likely to have something else compromised, before Wallet. Of course, where there is a will, there is a way, and a determined thief could do a lot of damage-- but the time spent trying to compromise something like NFC seems rather silly, when they could compromise CC information a lot quicker, and cheaper, due to its ubiquity.
In all honesty, I’m just not fearing much from NFC payments.
At this point in time, I wouldn’t call it a deal-breaker, either, but it’s certainly a welcome addition to my device, especially now that I have a Nexus 7 and friends with an S3, who can make use of it.
There is less “let me email” or “text this” talk, and instead, just simple transfers, since it’s just a faster way to send something to another device, without having to pair or add in other credentials. With more people adopting it, the potential only grows, so I hope it gains more traction, for a host of reasons.
Not sure how much truth there is to this. Google previously used a prepaid card, linked to your account, but they’ve done away with this and instead directly link your card of choice to Wallet. Visa and friends are still very much a part of the process.
More likely, Google will do what it always has done, and datamine consumer spending habits (annoymosly, of course :)), for their own ad-selling purposes.
Well, keep in mind too that though right now google wallet just uses your Credit card, if it actually took off they could easily issue their own credit card or similar and reap the fees. Obviously they also just want you to have a way to pay on file so you can easily buy from them directly in the play store.
