Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC TR 27563: Security Study of Contactless Communication — Threats and Countermeasures
Analyzing Security Challenges in Contactless Technologies including NFC, RFID, and Smart Cards
Security Landscape of Contactless Communication
Contactless communication technologies — including Near Field Communication (NFC), Radio Frequency Identification (RFID), and contactless smart cards — have become integral to modern life, enabling applications from mobile payments and access control to public transit ticketing and electronic passports. IEC TR 27563 provides a systematic security study of these technologies, analyzing the threat landscape, identifying vulnerabilities inherent to contactless interfaces, and recommending countermeasures to ensure the confidentiality, integrity, and availability of contactless transactions.
The report categorizes contactless systems into three operational domains: payment and financial services, identity and access management, and data transfer and configuration. Each domain presents unique security requirements and risk profiles. For instance, payment systems prioritize transaction integrity and non-repudiation, while identity systems emphasize authentication strength and privacy protection against tracking. The report’s domain-based analysis enables stakeholders to focus on the most relevant threats and controls for their specific application context.
Contactless systems face a fundamentally different threat model compared to contact-based interfaces. The wireless communication channel introduces risks such as skimming, eavesdropping, and relay attacks that have no equivalent in wired systems. Understanding these differences is the first step toward effective security design.
| Attack Type | Threat Level | Affected Applications | Primary Countermeasure |
|---|---|---|---|
| Skimming — unauthorized reading of card data | High | Payment, ID, Transit | Encrypted communication, short read range |
| Eavesdropping — intercepting communication | Medium | All contactless systems | Session encryption, secure channel |
| Relay (mafia fraud) attack | High | Payment, Access control | Distance bounding protocols, timed transactions |
| Cloning — duplicating card credentials | Critical | Access control, ID | Cryptographic authentication, PUFs |
| Denial of service — RF jamming | Medium | All contactless systems | Frequency diversity, error correction |
| Tracking — unauthorized location monitoring | Medium | ID, Transit | Randomized identifiers, anti-tracking protocols |
Relay attacks are particularly insidious because they can defeat strong cryptographic protections. The attacker simply relays messages between the legitimate reader and card without needing to decrypt them. Distance bounding protocols are the most effective countermeasure but remain challenging to implement in low-power devices.
Vulnerability Analysis and Attack Vectors
IEC TR 27563 conducts a rigorous vulnerability analysis across multiple layers of the contactless protocol stack. At the physical layer, vulnerabilities arise from the inherent broadcast nature of radio frequency communication — any device within range can potentially intercept or inject signals. The report examines modulation schemes, frequency bands, and signal encoding methods to identify which physical-layer parameters offer inherent security advantages. For example, systems operating at higher frequencies (such as 13.56 MHz HF RFID) typically have shorter read ranges that provide some natural protection against long-distance eavesdropping, while Ultra-High Frequency (UHF) systems offer longer ranges that increase the attack surface.
At the protocol and application layers, the report analyzes authentication protocols, encryption schemes, and data formats commonly used in contactless systems. Particular attention is given to lightweight cryptography suitable for resource-constrained contactless devices, including the analysis of ISO/IEC 29192 lightweight cryptography standards. The report also examines implementation vulnerabilities such as insecure random number generation, improper session management, and side-channel attacks that exploit timing variations or power consumption patterns during cryptographic operations.
The report concludes that properly implemented contactless systems using strong cryptography (AES-128 or higher) with secure key management can achieve security levels comparable to contact-based systems. The key differentiator is the quality of implementation rather than the contactless interface itself.
Countermeasures and Best Practice Recommendations
Based on the comprehensive threat and vulnerability analysis, IEC TR 27563 provides a structured set of countermeasures organized by security objective. For confidentiality, the report recommends end-to-end encryption with session-specific keys, combined with physical-layer protections such as shielded cards and limited read ranges. For integrity, cryptographic message authentication codes (MACs) and transaction sequencing prevent tampering and replay attacks. For availability, the report recommends frequency agility, adaptive power management, and redundant reader deployment in critical applications.
The report also addresses the human factors dimension of contactless security, recognizing that user behavior significantly impacts overall system security. Recommendations include user education on contactless risks, visual and audible transaction confirmation indicators, and the implementation of user-verifiable device authentication (such as comparing displayed transaction amounts before tapping).
One of the most overlooked vulnerabilities in contactless systems is the lack of proper key management for the millions of deployed cards and readers. Compromised master keys can undermine the security of an entire deployment. The report strongly recommends hardware security modules (HSMs) for key generation and storage, along with secure key diversification schemes.
Frequently Asked Questions
Q: Are contactless payments secure?
A: Yes, when properly implemented. Modern contactless payment systems employ dynamic data authentication, transaction-specific cryptograms, and multiple layers of encryption. The risk of successful fraud is extremely low compared to the convenience benefits.
A: Yes, when properly implemented. Modern contactless payment systems employ dynamic data authentication, transaction-specific cryptograms, and multiple layers of encryption. The risk of successful fraud is extremely low compared to the convenience benefits.
Q: Can contactless cards be read through wallets or clothing?
A: Standard contactless cards have a read range of approximately 4-10 cm. While reading through thin materials is possible, the effective range and success rate decrease significantly with distance and intervening materials. RFID-blocking wallets provide additional protection for concerned users.
A: Standard contactless cards have a read range of approximately 4-10 cm. While reading through thin materials is possible, the effective range and success rate decrease significantly with distance and intervening materials. RFID-blocking wallets provide additional protection for concerned users.
Q: What is a relay attack and how is it prevented?
A: A relay attack involves an attacker extending the communication range between a legitimate reader and card using two radio devices. Prevention methods include distance bounding protocols that measure round-trip signal time to verify physical proximity, and requiring user interaction (such as PIN entry) for high-value transactions.
A: A relay attack involves an attacker extending the communication range between a legitimate reader and card using two radio devices. Prevention methods include distance bounding protocols that measure round-trip signal time to verify physical proximity, and requiring user interaction (such as PIN entry) for high-value transactions.
Q: How does IEC TR 27563 relate to EMVCo specifications?
A: The report references EMVCo contactless specifications as an example of a well-designed security framework while also identifying areas where additional security controls may be needed based on specific threat models and risk assessments.
A: The report references EMVCo contactless specifications as an example of a well-designed security framework while also identifying areas where additional security controls may be needed based on specific threat models and risk assessments.
