Paper and plastic money is passé. A technology called Near Field Communication (NFC) is set to enable making payments with the world’s favorite device: the cell phone. You’ll touch your phone to a reader at the gas station or the movie theater, and presto—transaction complete. The basic technology is similar to the contactless cards now issued by American Express, MasterCard, Visa, and others. Readers for those cards, already present in more than 50,000 stores in the United States, according to ABI Research, will also handle NFC transactions. But is a wireless tap a safe way to transmit payment details, and will NFC phones make it easier for corporations to build invasive profiles about us?

From Credit Cards to Clamshells

Tapping your phone on something might seem like a slippery way to disburse funds, but experts say it shouldn’t worry anyone who happily uses credit cards today. “The mobile [phone] payment systems that are being launched are credit card systems,” said David Birch, director of Consult Hyperion, a consulting company that specializes in electronic transactions. “You’re storing the data on a phone rather than a plastic card. It’s not a radical new system, and the risks are broadly comparable,” he said.

“It’s slightly different in that you have a wireless interface, so if things aren’t encrypted as they should be, there’s a chance of people listening in to it,” Birch said. However, some current NFC payment systems use encryption and security measures such as one-time transaction numbers. Even if someone managed to skim the data from afar (difficult, since NFC is made to work at touching distance), it would be useless, he said.

“When the first [contactless] cards came out, the security wasn’t terribly well evolved,” Birch said. Researchers consequently revealed dangerous security flaws in the systems. One such researcher was Kevin Fu, assistant professor at the University of Massachusetts Amherst. “I’m not aware of any independent testing agency that has openly evaluated the design or implementation of security in NFC phones,” Fu said. “Trust, but verify,” he advised.

Security Safety Nets

Because NFC phones allow software on the handset to interact with the payment system, “there is theoretically an increased security risk, so there needs to be other controls in place to mitigate those risks,” said Charles Golvin, principal analyst at Forrester Research. Golvin said that payment systems provide sufficient checks and balances to prevent rogue applications from causing problems, a view Birch agrees with. “I’m not convinced the risk is significantly higher [than with conventional payment systems],” said Golvin.

So what’s to keep you from accidentally paying for something by brushing against a payment point or being “robbed” by an unscrupulous NFC reader? It depends on the particulars of each system: In some cases, you must enter a PIN to authorize a transaction.

Some trials, including one by U.S.-based wireless carrier Cellular South, have used biometrically enabled phones to verify transactions. “The fingerprint reader that was used in the Cellular South trial offered a mix of convenience and security,” said Carl Temme, vice president of marketing for Atrua Technologies, the company that made the fingerprint scanners used in the trial. “By swiping your finger, you’re selecting the payment application, choosing the credit card you want to use, and you’re authenticating, in one step,” he said. Temme noted that biometrics are more secure than PINs since no one can copy the passcode.

Birch said that even if NFC payments are allowed with no verification at all, the stakes are low, since such transaction would be limited to small amounts. “You’ve been able to do that in the U.S. [with credit cards] for transactions under $25 for years, and I haven’t noticed the American banking system collapsing,” he said. “At least not for that reason.”

More Features Equals More Breadcrumbs?

NFC on phones is about a lot more than buying things at convenience stores. At minimum, expect electronic coupons and loyalty programs that reward spending with discounts or points, all stored on and accessed with the phone. “There’s a lot of ways NFC can enrich the sale,” said Emmett Higdon, senior analyst at Forrester Research. “That’s what’s going to drive adoption, not saying you can save 20 seconds at McDonald’s.”

NFC phones could also function as “e-tickets” on transit systems, a role already explored in a trial conducted by AT&T, Citigroup, MasterCard, and Nokia in New York that let users access the subway and pay over 600 merchants with their phones. Participants could tap NFC-enabled movie posters in theaters to read reviews about the film. “The overall feedback was, ‘Yeah, we want this,’” said Nokia’s Gerhard Romen, head of NFC market development, noting that 84 percent of participants said they’d like to continue using NFC phones.

These scenarios involve the phone becoming a hub through which a tremendous amount of personal information flows, and which theoretically reveals, at every touch point, where you are and what you’re doing. “It is much easier to organize and manage customer data if you have a single unique and consistent identity to refer to,” said Geir M. Køien, a researcher for Norwegian telecom Telenor who has studied the privacy issues resulting from contactless technologies. “There are some rather obvious privacy implications,” he said. “Big Brother, or his many smaller brothers, may easily be able to track you, over time and at will.” Pointing to the economic value and the security interest of this information, Køien said that more protective privacy laws, along with international cooperation on structuring them, are required to avoid the evolution of a highly invasive system.

Touch and Go

On the other hand, Forrester Research’s Golvin, who considers himself concerned about privacy, said, “Don’t assume that because all these transactions are being initiated by one particular device, that all that information is being aggregated into one particular stream.” Since different relationships are being navigated with the phone (credit card company, carrier, vendor), “that information isn’t coming and going to one giant profile,” he said. “It’s the same privacy risk you face today, with these entities out there having this information about your various transactions and comings and goings.” Golvin advised users to be concerned about those valid and ongoing privacy issues rather than focusing on new technology that doesn’t change the privacy equation much.

NFC is coming. It has a laundry list of backers, including many of the top phone, financial, silicon, and carrier companies in the world. ABI predicts that in 2012 more than 20 percent of phones in the U.S. will be NFC-enabled. From a privacy standpoint, NFC will demand scrutiny when it’s deployed commercially, not so much for its technological novelty, but because of its potential to concentrate personal information in our phones and widen the breadcrumb trail of revealing data points we leave behind in the course of our daily lives.