NFC: Security is above all - Vadim Ustinov, the Commercial Director

Vladimir Ustinov, the Commercial Director of JSC NovaCard: As of today we can state at once that there is a certain interest to the technology Near Field Communication (NFC) in Russia. The idea to use a telephone as a contactless smart-card has its own adherents as well as opponents. Considerable arguments become the norm among the specialists, the main matter of their dispute is whether the benefits from the convenience of use exceed the risks, arising in the emulation of a payment card into the telephone. Both parties have enough number of arguments to represent their position.

There is only one indisputable thing for them: security is above all. Really, a modern telephone is ready to be a full authenticator for its owner, as it possesses a full set of tools, which is necessary for this: processor, memory, user’s interface, interaction facilities with the outer world and, of course, a Secure Element (Universal Integrated Circuit Card, UICC-card). UICC-card is a multi-service SIM-card which, using additional safety equipment, allows safety storing and processing of sensory information.

So, if the image of a contactless smart-card is placed into the Secure Element, the telephone becomes a form-factor of this card which is able to work in the existing infrastructure. We define a contactless bank card as the cards MasterCard PayPass or Visa payWave. It was said enough about advantages and potential of the usage of NFC-technologies. It is really convenient and easy to use.

The technology does not require the costs for marketing campaign, because the activated service is a perfect advertisement. It is a pleasure for the users to exchange their exited opinions, attracting their relatives, friends or acquaintances to the application of this service. If only there was the infrastructure! At the same time there are the critical arguments which can look like disabling for spreading the contactless payments wide. However, upon further thought «drawbacks of NFC-technology» may be easily explained by the fact that authors of the articles do not possess complete information about the subject matter.

Below we will look at the different security facilities and safety methods, implemented in NFC-projects all over the world and the products of NovaCard, particularly. A statement was considered that vulnerability of interaction over the radio interface of NFC is caused by the usage of a radio signal for the interaction with a POS-terminal. It is expected that if a plotter manages to catch a radio signal, used by a client for service payment, he will be able to pay purchases from the customer’s account, having modulated the caught signal. But such the scenario is impossible. As in implementing of a transaction the telephone emulates a contactless card MasterCard PayPass or Visa payWave, so it conducts itself as a contactless payment EMV-card.

Each transaction is a unique that is in paying by bank application the data packets, using some levels of protection: symmetrical and asymmetrical encoding as well as a one-time CVV-code, are formatted and transferred. Thus, if a plotter tries «to repeat the transaction» a POS-terminal will refuse him for payment. Along with the cryptography facilities and one-time CVV-code, generated for each operation, there is a limit of a sum of a purchase at exceeding of which it is necessary to enter PIN-offline. This limit accounts 1000 rubles in Russia and 20 euros in Europe, however, the bank has still the right to change the limit at exceeding of which a user should enter PIN at the POS-terminal. This mechanism is activated just to be on the safe side. At that the payment by means of the telephone is similar to the payment by a contact bank card using authentication Chip&PIN. At the presence of a mobile application a user gets not only UserFriendly interface but the opportunity to install additional levels of protection.

For instance, to pay for a purchase or a service, it is necessary to come into «Mobile application» using PIN-online. This fact excludes the possibility of unauthorized use of a customer’s account, if the telephone is stolen or fallen into the hands of a non-authorized user. In addition a cardholder can choose a mechanism of the reentry of PIN-online. This mechanism operates the following way: the user enters PIN on entering the mobile application; at the interaction with a contactless reader the mobile application requests PIN one more time for the confirmation of the current transaction; after the entry of a proper PIN the mobile application informs the user about the necessity to put the telephone once again on the POS-terminal supporting NFC-technology.

Besides, for the users who not only pay attention to safety when making payments but optimize consumption of the telephone’s accumulator, it is applicable to cut off NFC-functions in menu of the telephone. As a rule, to turn on/turn off NFC in the telephone is usually easy: a proper icon is displayed in the line of quick access. When NFC-function is turned off the telephone is not received by the reader as a contactless card. Activation of functions takes several seconds at all and fully excludes unauthorized access to a cardholder’s account.

At all diversity of security facilities and equipment the best guarantee is attentiveness and accuracy of a cardholder. It is necessary to be attentive to the software, which the user installs on the mobile telephone, to use antivirus for scanning of a new loaded content, to be alert when making payments in Internet. For the formation of maximum objective point of view our company spent time enough to go into all the nuances of NFC-technology: convenience and benefits of the usage, potential risks. As a result we have formatted certain persuasion: the security level at emulation of smart-cards in the form-factor of the telephone is enough for mass adoption, and skeptical opinions of pseudo-experts, who call NFC-transactions vulnerable, can be explained in most cases by superficial knowledge and their fantasies about it.

In the situation when a large number of judgments, which often are diametrically opposite, are available for everybody it is extremely important to possess complete information for the formation of own point of view. Today NovaCard is not only a card manufacturer but having skilled personnel it renders consulting services to its partners for choice of the optimal ways of technology adaptation, assists with certifying of NFC-solutions in the international payment systems, it provides with the access to a wide spectrum of service providers, cooperation with whom helps to render the optimal functions to the end users.