- From: Anders Rundgren via GitHub <sysbot+gh@w3.org>
- Date: Mon, 05 Jun 2017 13:07:29 +0000
- To: public-web-nfc@w3.org
@Liryna wrote: > NFC is not made to be secure. Do not expect to use it for banking or any data that require secure transaction. Even with a context or unique data, the transaction can catch and replay by anyone. This is how most QR based schemes work today: 1. The user wants to login or have reached a Web page asking for a payment 2. The service offers a (preferably one-time) QR code in a Web page 3. The user starts a QR enabled application 4. The applications scans the QR code aided by the user doing the focusing 5. The QR enabled application performs the authentication or transaction using OOB communication based on the read QR data An attacker standing behind the user or having a telescope can indeed take over the session after step 2. NFC would make this harder but as you say, not impossible. However, such an attack is (AFAICT...), not extremely useful, because it either authenticates the attacker or let him/her pay. -- GitHub Notification of comment by cyberphone Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/128#issuecomment-306182806 using your GitHub account
Received on Monday, 5 June 2017 13:07:35 UTC