Beware of contactless theft with NFC and RFID technologies

Near Field Communication (NFC) and Radio Frequency Identification (RFID) technologies enable wireless communication between devices and facilitate contactless payment processes, product tracking, and access control.

These technologies have become part of everyday life; however, they can also be used to steal important data , and this can happen without you even realizing it in common places like sporting events, concerts, public transportation, or supermarkets.

According to David González, a cybersecurity specialist at ESET Latin America, RFID systems are useful in logistics environments for organizing loads, packages, and inventories, compiling statistics and relevant information. They are also used in clothing stores to identify garments and their location, streamlining daily operations and providing an additional security measure.

In the case of NFC systems, they are the basis for common proximity devices such as mobile phones and contactless payment cards. The same applies to cards that allow authorized persons to enter buildings through access and time control systems.

(We recommend: How to share your location on Google while traveling )

NFC proximity cards are also used to open electronic locks in hotel rooms, tourist apartments, and vacation rentals, allowing guests to conveniently access their rooms by simply tapping the card against the reader. The chip with the identifying information can be incorporated into other items such as wristbands or key fobs, further personalizing the guest experience.

"So, NFC systems are actually part of RFID technology, meaning they can be considered a subset of RFID techniques. The main difference is that RFID components can operate and communicate with each other over much greater distances. This makes them widely used in a variety of fields," González notes.

With the advancement of both technologies, thieves have explored new forms of contactless fraud, capturing card information or performing unauthorized transactions.

One of them is skimming, a type of fraud in which criminals copy the victim's card details. Once the data is captured, an additional step is required, such as card cloning or using stolen data in online transactions to commit fraud.

According to the specialist, " a fraudster uses a hidden NFC or RFID reader to capture contactless payment card data when someone holds it too close . Although the stolen data typically doesn't include the PIN, some attackers can use it for online purchases at stores with low security."

As a preventative measure, you can use RFID-blocking wallets or even wrap the card in aluminum foil . It's advisable to enable real-time purchase notifications, use virtual or temporary cards for online purchases, and monitor transactions.

Another type of attack is a relay attack: in this case, an attacker intercepts the signal between an NFC card and a payment terminal, amplifying it to make it appear the card is present elsewhere. This allows payments to be made without the owner's knowledge.

To avoid this, it is advisable to use a protected NFC/RFID wallet, disable contactless purchases on your phone when not in use, and use biometric authentication for payments (fingerprint or Face ID).

Cybersecurity experts also talk about e-wallet hacking, or mobile payment data theft: In this method, cybercriminals exploit vulnerabilities in payment apps (such as Apple Pay or Google Pay) or intercept data on public Wi-Fi networks, allowing them to make unauthorized payments if they gain access to the user's account.

In this regard, cybersecurity firm Kaspersky says cybercriminals purchase several smartphones, create Apple or Google accounts on them, and install contactless payment apps. When a victim visits a fake website, they are asked to link their card or make a small mandatory payment. This requires entering card details and confirming ownership by entering a one-time password (OTP).

Even if the card doesn't register charges immediately, the data is transferred almost instantly to the cybercriminals, who then attempt to link it to a mobile wallet on their smartphone. To speed up and simplify the process, attackers use special software that takes the data provided by the victim and generates an image of the card that perfectly replicates it. Then, simply take a photo of this image from Apple Pay or Google Wallet.

To counter this scheme , it's recommended to set strong passwords and activate two-factor authentication. Never make payments on public Wi-Fi networks. Use virtual cards for online transactions , which work by reloading money before you can use them. It's also recommended not to store large amounts of money on virtual cards and only reload them just before making an online purchase. If your card issuer allows it, disable offline payments and cash withdrawals on these cards. Also, always be vigilant about monitoring transactions.

Another form of theft is the installation of fake NFC readers: this behavior involves a fraudster placing a modified NFC reader on payment terminals or ATMs, which, when the card or mobile phone is swiped, captures the user's data.

In this case, it's always important to check that the payment terminal doesn't have anything suspicious attached or modified. You can also use chip and PIN cards instead of just NFC whenever possible, and don't accept NFC payments on unknown devices.

Along the same lines, another danger is NFC phishing: a technique in which a scammer or cybercriminal tries to trick users into holding their phone near a fake NFC chip that redirects them to a malicious website.

Regarding this, Kaspersky warns that once users bring their device close to the altered NFC reader, they may be redirected to phishing sites, or unwanted actions may be initiated on their devices, or even malicious software may be delivered. In its warning, the company said that thieves could switch a genuine reader in high-traffic areas, such as transportation hubs, cafes, or retail stores, for one that triggers malicious behavior.

It's recommended not to scan NFC tags in suspicious locations and to set your phone to ask for confirmation before opening NFC links.

“The number of victims of this type of attack varies from country to country, although it's a fact that there's an increase in fraud related to non-chip cards, especially during peak spending periods like Christmas, Valentine's Day, and New Year's, to name a few,” concluded David González, IT security specialist at ESET Latin America.

Diego Barrio de Mendoza (*)

(*) With additional information from EL TIEMPO.