NFC-How to protect consumers
I noticed recently that Clear Channel, the worldwide out of home advertising company, have announced that they are rolling out NFC and QRCode technologies to their global advertising panels.
This is of course great news for the NFC industry as well as for brand owners and consumers. Enabling digital advertising in a quick, simple and intuitive way will undoubtedly change the way consumers interact with brand promotions. The key term here is 'interact'. Advertising no longer 'shouts' at consumers and hopes they see it (and remember it) but can now invite them to interact with the campaign.
As I say this is all great news however it does raise some interesting questions not least in terms of security and the protection of consumers.
Typically a NFC tag or QRCode on a panel will direct a consumer to a web site or other piece of cloud content, in Clear Channel's case this is controlled by their 'Connect Mobile Platform' which allows brand owners to manage what content is presented to the consumers smartphones. So far so good!!
What happens if someone places a new QRCode or NFC tag over the top of the official one?
Anyone with a decent colour printer could create a professional looking NFC label or QRCode and stick them over the ones on the panel, with just a quick look most consumers would not detect the change. So now when a consumer taps their smartphone on the tag or scans the QRCode they will be directed to a potentially malicious website – and certainly not the one the brand owner intended!
There are ways to protect consumers....................
During my time as chair of the NFC Forum Security Working Group we wrote a technical specification called the 'Signature RTD'. Its purpose was to protect consumers in exactly this scenario. By Adding a digital signature to the data in the NFC tag or in the QRCode the consumer could be protected. The Digital Signature proves that the data on the tag/QRCode is genuine and issued by a known and trusted organisation.
So, why isn't this used routinely in such applications?
Both NFC tags and QRCodes typically contain a URL to a web resource so they can be scanned by most smartphones without the need for a specific App. Operating systems like Android and Windows 10 extract the URL and launch the browser taking the consumer to the content referenced by the URL. So currently, even if a Signature was added to the tag/QRCode it would be ignored, what we need is support in operating systems for the Signature RTD, this needs an industry wide willingness to support the use of the Signature RTD in smartphones so that the signature is verified by the smartphone and can tell the consumer if the site is trusted or not.
Regardless of the industry hype surrounding the emergence of NFC, like any other technology, it will not achieve its full potential and market penetration unless consumers have confidence in it so it is in everyone's interest to make sure consumers have that confidence.
It is up to all of us to make these things happen.
NFS have produced a whitepaper showing our view on this topic which can be downloaded from here