As NFC usage becomes more widespread due to smartphone proliferation, security gaps and threats will be exploited, one firm predicts

Just when more people have become acclimatized to the risks of cashless and contactless payment systems, another ubiquitous means of electronic identification is being weaponized by cybercriminals to widen their attack radius.

Near-field Communication (NFC) tags are now widely used in marketing campaigns, public transport systems and smart home setups to enable quick, touch-free interactions. However, this same convenience makes them susceptible to tampering by malicious actors, as one cybersecurity firm is anticipating.

For instance, when legitimate NFC tags are left unlocked, outsiders can find ways to reprogram them to redirect users to phishing sites, initiate unintended actions on their devices, or deliver harmful software payloads. Another method is the physical replacement of original NFC tags. For example, attackers could swap out a genuine tag on some publicly-placed item with one that triggers harmful actions on smart devices, such as phishing attacks; exploitation of vulnerabilities in a smartphone’s NFC reader to execute harmful code; or ruses causing the user to download harmful files that steal data or track phone activity.

According to Marc Rivero, Lead Security Researcher, Kaspersky, the firm raising awareness of this emerging threat: “As the adoption of NFC continues to grow… we anticipate that malicious actors will become increasingly sophisticated in their tactics. In the next few years, NFC-related attacks could potentially target thousands of users globally, particularly in urban areas where NFC usage is widespread. Awareness and proactive measures are key to mitigating these risks.”

Businesses and industry professionals are recommended to use locked/read-only NFC tags to prevent tampering; perform routine checks of tags for alterations and tampering; and education customers about safe NFC practices such as limiting NFC actions on a smart device from being fully automated without user approval; keeping NFC-module vulnerabilities patched promptly; and constantly educating each other on cyber hygiene and anti-phishing best practices.