Fintech Mobile & Online Security

At last, NDEF

Written by Dave Birch

It took a while for undeniably convenient NFC tags to be embraced by iOS and Android, says Dave Birch, but this is a big deal.

A decade ago, I remember writing that one of the problems with QR codes is that there’s no security. Some years later I wrote an article pointing out that NFC ought to be safer than QR codes because NFC included a standard for digitally signing tags (though I did also note that no one used it), whereas anyone could easily create bogus QR codes.

“Well, I might not go so far as to call [QR codes] evil, but they certainly have the potential to enable person or persons unknown to act with evil intent.”

I suggested, in connection with a couple of projects we were working on at the time, that the mobile operators do something about this by creating a digital signature standard for QR codes so that phones could be set by default to ignore unsigned codes. None of this happened, as I’m sure you are aware, and QR codes became popular precisely because any app could read any code anywhere.

The security problem never went away, though. I notice in the South China Morning Post that in March 2017 some CNY 90m was stolen via QR code scams in Guangdong alone (a suspect in the case replaced merchants’ legitimate barcodes with fake ones that embedded a virus to steal personal information) and that in China as a whole, a quarter of viruses and trojans come in via QR. Despite the incredible success of QR there, we need to do better.

Even the man who invented QR codes says that they are an interim technology.

Now, also back in the day, I had originally assumed that Apple would add NFC to the iPhone. I was wrong about this for years, so eventually I assumed that they were going to bypass the technology and go to Bluetooth. Yet, what I said at the time still holds: NFC is undeniably convenient: “NFC is a convenience technology, and Apple loves convenience.”


I wasn’t just guessing about this, I was drawing on Consult Hyperion’s early experiences with NFC (remember the Nokia 6131?) of tag reading and writing, including not only the usual payments and ticketing stuff, but also such fun applications as getting information about clothes at London Fashion Week. I also noted surveys at the time that showed that NFC generated better results for merchants, but only once consumers could get it working. As my good friend Osama Bedier, then head of Google Wallet, pointed out, this was some barrier because of the amount of “futz” it took to get NFC working.

But there was another reason I was so interested in NFC as a QR alternative back in those days. To go back to the security point, I was interested in the standard for adding digital signatures to NDEFs (the ‘NFC Signature RTD Technical Specification‘) to build a safe tag infrastructure. After hawking this around a few different projects (to general disinterest), I figured that the telcos weren’t interested in using it to deliver secure infrastructure, so I said

“Someone else will build this business (Apple? They seem to be getting all sorts of NFC-related patents at the moment) and then the operators will once again complain about being pipes. Is Tom Noyes right to say that, ‘Apple and Google will be further ahead in coordinating value in new networks’?”

Well, well. Tom was right as usual, even if it took a few years for the hand to play out. At WWDC, Apple announced that iOS 11 will indeed include the ability to read NDEF data from tags:

Using Core NFC, you can read Near Field Communication (NFC) tags of types 1 through 5 that contain data in the NFC Data Exchange Format (NDEF).

So now, more than a decade after our first NFC experiments, both IOS and Android can read standard tags and action them. I want to make a couple of quick points about this before I head off down to our Hyperlab and see what our developers make of the new toolkit.

First of all, this technology will inevitably be used for triggering in-app payments that work in a very convenient way for consumers. Instead of having to open your Tesco PayQwiq app and scan a code from the POS, the POS will function as a tag (and remember it can potentially rewrite a dynamic tag on the fly): you can just tap the phone on the POS and the operating system will automatically open the PayQwiq app and route the data to it.

Secondly, since tags are inexpensive, they will be used for a variety of different applications. Tickets for pop concerts, information about products, name badges, all sorts of things that can be read by a phone rather than by a specialist reader. Therefore, I expect new standards for NDEF content to spring up. One of my favourite apps back in the day was a phone number tag that men could put in their back pocket at a nightclub: admirers could wave their phone in an appropriate area to get the number and send a text message. Here we are trying experiments with different types of clothing (which turned out to have very different NFC-friendly characteristics!) a decade ago.

Lastly, note that NFC tags can be read through packaging. Unlike QR codes that need to be printed on the outside of a box, tags can be inside. Where would this matter? Well, take a current UK example. Cigarettes now have to be in plain packaging. Tobacco companies don’t like this (for obvious brand reasons), but they do have a point: plain packaging makes life easier for counterfeiters. So suppose packs had a cheap tag inside, then your phone could tell you whether you’ve got real Marlboro or a knock-off. You download the Marlboro app, and from then on when you tap a pack – if the app doesn’t pop up with a big green tick, you know you’ve been done. I’ve written about this sort of thing before (for example, wine and whiskey) so it’s hardly a new idea.

Note, however, that iOS 11 also includes ARKit to add augmented reality, so when you look at your pack of plain cigarettes through your app (after you’ve tapped, so the phone reads the tag and knows that they’re real Marlboro), you don’t see plain packaging any more you see … well whatever.

Reality and augmented reality. Image by Dave Birch.

All in all, Apple’s announcement – whether the culmination of a clever plan or a response to Android market share – is a big deal. I found a whole bunch of blank NFC tags in my desk drawer, so I’m off to start programming them now.

READ NEXT: How to fix NFC and help it go mainstream

– This article is reproduced with kind permission. Some minor changes have been made to reflect BankNXT style considerations. Read more here. Photo by lucadp,

About the author

Dave Birch

David GW Birch is an author, adviser and commentator on digital financial services. He is Global Ambassador for Consult Hyperion (the secure electronic transactions consultancy that he helped to found), Technology Fellow at the Centre for the Study of Financial Innovation (the London-based think tank) and a Visiting Professor at the University of Surrey Business School. He is an internationally recognised thought leader in digital identity and digital money, and was named one of the global top 15 favourite sources of business information by Wired magazine.

Leave a Comment