Since my last post about near field communication (NFC) technology and its use in mobile phone payments raised some justifiable concerns about personal data security, I wanted to circle back and share some thoughts on that topic. (See: Cellphone Payments: High-Tech's New Frontier.)
I’ve got to say, the more I read about NFC, the more questions I have. And, the more questions I have, the more skittish I've become about having my personal data magically zapped from my cellphone to some device a few inches away. Still, I know that incredibly smart people up and down the high-tech supply chain -- semiconductor companies, industry organizations, device makers, software developers, phone operators, banks, and government agencies -- are very much aware of the risks involved and are taking serious steps to win users' trust.
I’m fairly confident, too, that while I may not personally be an early NFC adopter, I will eventually climb on the bandwagon -- once I see it being used regularly in everyday transactions and hear friends rave about how convenient all sorts of things have become because the technology has been embedded in a host of consumer devices. I’m sure other people will then come aboard as well. That’s generally the way technology gains traction.
What has me on unsteady ground at this moment in time is that there doesn't seem to be one standard security protocol in place for this technology. Everyone involved seems to be responsible for layering in whatever they define as appropriate security. As Popular Science Magazine points out in "Everything You Need to Know About Near Field Communication":
The NFC protocol itself has surprisingly few actual safeguards against data snatching -- and the protections the NFC Forum does highlight are simply logical extensions of the physical nature of the protocol...
The NFC standard leaves any kind of advanced protection, like encryption or password protection, up to whoever uses it. You'll have to trust your bank to encrypt your bank info, you'll have to trust Google, Apple, or RIM to encrypt your account info, you'll have to trust your digital locksmith to encrypt your new space-age virtual house key, and so forth.
I’m reassured, though, by the fact that many companies are taking steps to calm the jitters. For instance, NXP Semiconductors N.V. (Nasdaq: NXPI) and security specialist Giesecke & Devrient announced in February that they have "the full validation of a joint software solution offering secure interfaces between the handset, NFC functionality and secure elements such as the SIM card."
This solution, they say, will allow NFC to be integrated securely into Android-based mobile handset platforms and other operating systems. In December, EE Times reported that Renesas Electronics Corp. (Tokyo: 6723), leveraging on-wafer packaging technology, has developed a 0.22mm ultra-thin profile series of MCUs, the RF21S, that combines an NFC controller with secure element functionality for use in consumer electronics products such as smartphones and other mobile phones, notebook PCs, and PC peripherals.
Further upstream, Bank of America is testing out with a small group of BlackBerry users a secure element that will be owned by Bank of America and embedded in a microSD card supplied and controlled by the bank, according to The Register. Another solution that is being discussed in several other places on the Web appears to be, simply, setting up a PIN passcode that locks and unlocks the phone and protects user data.
Surely within the next few quarters, we’ll start seeing some more definitive trends take shape, and best-practices will solidify. Until then, what may help the US and people like me get more comfortable with this technology is to take a closer look at what’s happening in Japan. Based on the conversations on EBN and elsewhere on the Web, Japan -- no surprise -- is leaps and bounds ahead of most of the world on this. It’s common practice there, for instance, to pay for public transportation tickets via mobile phones. And the Japanese are already using NFC technology for information sharing and social networking, according to a post in Near Field Communications World.
Anyone want to weigh in with personal experiences you’ve had with NFC-embedded technology, particularly overseas where it has taken hold? And tell me, what kinds of security measures do you think make the most sense or will win out?