Security Protocol for NFC Enabled Mobile Devices Used in Financial Applications

The fostering of NFC in everyday tasks and with growth in applications involving contactless transactions based on NFC, there is a requirement from users and industry to address the security issues affecting mobile payments. The current NFC security standards are inadequate to address most of the security concerns such as privacy infringements, unauthorized access to financial data, theft of mobile data exchanged between terminal and mobile device. In this paper, we designed a NFC based security protocol for financial applications, which addresses security requirements holistically and provides local and remote mutual authentication, confidentiality, integrity and non-repudiation. After designing, we verified our protocol using Scyther and established that it protects against spoofing attack, man-in-the-middle attack, replay and skimming attacks. It ensures the secrecy of transaction data, privacy of the users and also ensures that only authenticated and authorized NFC device holder and PoS terminals are securely exchanging financial data to perform the transaction. Furthermore, we developed a prototype system using java technology to show that the solution is practical and works according to our verified and designed specification.