NFC and RFID Explained For Consumers

Home » Security Bloggers Network » NFC and RFID Explained For Consumers | Avast

A couple of weeks ago, I had a #TreatYoSelf moment and bought myself a sweet wallet. Then, over the course of weekend, I noticed that I was getting NFC notifications and couldn't figure out what was triggering them. Ping, ping, ping! They wouldn't leave me alone!

I was hesitant to click the link but, alas, I caved and tapped. Turns out, it was a marketing link from the wallet manufacturer. After some research, I learned that, in 2016, the company started using RFID tags in an effort to verify the authenticity of their goods and fight counterfeits. Fair enough.

Then I realized that there's no way to turn off the NFC reader on iPhones. That means anytime my phone is near my wallet, I get a notification from the wallet brand to visit their website.

In this scenario, what's an annoyed customer to do? After all, it's not feasible to have a notification pop up every time my phone is near my wallet. So I did a deep dive into NFC notifications, RFID tags, and what to do about them. Here's what I found out.

Radio Frequency Identification (RFID) refers to a wireless system that has two main components: tags and readers. The reader is a device that has one or more antennas that emit radio waves and receive signals back from the RFID tag. In my situation, the RFID tag was inside my wallet without my knowledge.

Near-Field Communication (NFC) is a method of wireless data transfer that allows smartphones, laptops, tablets, and other devices to share data when in close proximity. Today's smartphones are equipped with NFC technology. On Android devices, the NFC reader can be turned on and off. The NFC reader on iPhones is always on and cannot be turned off.

RFID is the process by which items are uniquely identified using radio waves, and NFC is a specialized subset within the family of RFID technology. Specifically, NFC is a branch of High-Frequency (HF) RFID, and both operate at the 13.56 MHz frequency.

While you might not be familiar with the term, NFC actually actually powers a lot of tech that people use every day. For example:

Card Emulation: NFC technology powers contactless payments via mobile wallets like Apple Pay, Android Pay, as well as contactless cards.

Peer-to-Peer: NFC is commonly used for peer-to-peer payment and data transfer. When two enabled NFC devices are in range, a prompt will appear asking if you’d like to share multimedia and digital content (videos, contact information, or photos) with the other device.

NFC Tags: Passive NFC tags (small stickers embedded with NFC chips) don't require power and can be programmed to perform certain tasks when scanned. NFC tags are incredibly versatile and can be used in many different ways. Here are just a handful of examples of how NFC chips can be applied when a device reads the tag.

Further reading: How to add authentication to your Facebook and Google accounts

The company, Ferragamo, announced in 2016 that they utilize NFC tags to verify the authenticity of their items to curb counterfeits. However, as far as I can tell, the company has not shared that they also use the tags to push marketing notifications to the buyer's mobile device. Further, iPhone users cannot turn off the NFC reader, so whenever an iPhone is close enough to the item, the user will get marketing notification. If a user taps the notification, they are taken to the Ferragamo website where they may be identified, tracked, and retargeted for ads.

From their Privacy Policy, the embedded NFC tags collect "generic IP location, but without being able to precisely locate you." Coupled with your personal data collected through their site, that collection of data can be processed, among myriad other ways:

And here's how they collect data about you through their site.

2.1. As you use the Website or Social Pages, we inform you that Ferragamo may collect and process information related to you as an individual and which allows you to be identified (either directly or together with additional information), or which is related to other individuals ("Personal Data"), such as your name, an identification number, an online ID or one or more characteristic elements of your physical, physiological, mental, economic, cultural or social identity.

Browsing Data

2.A.1. The Website's operation, as is standard with any website on the Internet, involves the use of computer systems and software procedures, which collect information about the Website's users as part of their routine operation. While Ferragamo does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information is also considered Personal Data.

2.A.2. This information includes several parameters related to your operating system and IT environment, including your IP address, location (country), the domain names of your computer, the URI (Uniform Resource Identifier) addresses of resources you request on the Website, the time of requests made, the method used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.), and so on.

2.A.3. These data are used exclusively to compile anonymous, statistical information on the use of the Website, as well as to ensure its correct operation and identify any faults and/or abuse of the Website – the data is deleted immediately after processing, unless it must be used to identify responsible parties in the event of cybercrime committed which harms the Website or third parties, in which case information on web contacts may be kept for a period of 7 (seven) days.

The devil is in the metadata. None of these things are inherently bad. But, together, they can paint a vivid picture of who and where you are. And I believe that any reasonable person would not expect their clothing or small leatherwork item to be capable of tracking them for marketing purposes.

NFC tags are designed for convenience, not security. With that in mind, if possible, turn off your NFC reader when you aren't using it. When you get an NFC tag notification, treat it as you would any unexpected link and use the same practices you already employ for email, DMs, SMS, or QR codes.

*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/nfc-and-rfid-explained-avast