Securing Digital Identity: How PKI Mitigates FlipperZero NFC and RFID Threats

The concern over identity theft and fraud is rising in today’s rapidly evolving digital landscape. As technology advances, fraudsters are finding new ways to exploit vulnerabilities. One technology that has gained attention is FlipperZero, a versatile device with NFC and RFID capabilities that can be used for malicious purposes.

According to a report by Juniper Research, online payment fraud is estimated to cost the global economy $48 billion by 2023. NFC and RFID technologies enable contactless communication between devices and are not immune to fraudulent activities.

A study by the University of Surrey found that NFC-enabled smartphones are vulnerable to eavesdropping, data modification, and replay attacks. Additionally, the RFID Research Center at the University of Arkansas discovered that RFID systems are susceptible to cloning attacks and unauthorized access.

Identity theft and fraud complaints related to NFC and RFID technology increased by 50% from 2019 to 2020, according to the Federal Trade Commission (FTC). This significant rise indicates the growing concern and impact of fraudulent activities utilizing these technologies.

These statistics highlight the need for increased awareness and vigilance regarding NFC and RFID technology and the potential risks associated with devices like FlipperZero. Individuals and organizations must stay informed about the latest security measures and best practices to protect against identity theft and fraud in this digital age.

FlipperZero, NFC and RFID Technologies

FlipperZero, created by Pavel Zhovner, is a versatile tool for hackers and enthusiasts interested in physical and wireless security testing. This device offers many features, including NFC and RFID capabilities.

With FlipperZero, users can assess and compromise various radio and wireless signals, making it incredibly useful for testing security systems. This device is open-source and highly customizable, allowing users to enhance its core features or add new ones.

NFC allows wireless communication over short distances, while RFID enables identification and tracking using radio waves. Although these technologies have numerous applications, they pose risks, such as cloning and replaying access badges, capturing and copying wireless network signals, and attacking enterprise systems.

Raising threat for Access control and Fintech

Fraudsters can exploit FlipperZero’s NFC and RFID capabilities to forge and copy identity documents, posing significant threats to banks and authorities. Here are some of the main risks associated with this technology:

1. Identity Document Forgery: FlipperZero’s NFC and RFID features can clone various identity documents supplied with a chip like a driver’s license. Fraudsters can access personal data stored within these documents to create counterfeit versions that are difficult to distinguish from genuine ones. This poses a serious threat to banks and authorities responsible for verifying the authenticity of these documents.

2. Unauthorized Access to Personal Data: With FlipperZero, fraudsters can gain unauthorized access to personal data stored on NFC-enabled devices, such as smartphones and contactless payment cards. This data can be used for identity theft, allowing criminals to impersonate individuals and carry out fraudulent activities, including unauthorized financial transactions.

3. Increased Sophistication of Attacks: As technology evolves, so do the methods used by fraudsters. FlipperZero’s versatility and advanced features provide criminals with new opportunities to exploit vulnerabilities in the fintech industry. This includes sophisticated attacks like skimming, where fraudsters intercept and collect sensitive information from contactless payment cards using NFC capabilities.

The consequences of identity fraud can be severe. According to a 2020 report by Javelin Strategy & Research, identity fraud in the United States alone resulted in losses of $16.9 billion in 2019, affecting around 14.4 million individuals. 

Account takeover fraud, where fraudsters gain access to someone’s account and make unauthorized transactions, increased by 72% in 2019.

Banks and authorities face significant risks regarding FlipperZero technology due to using NFC access cards that do not incorporate Public Key Infrastructure (PKI).

Almighty PKI: Preventing Access Card Forgery

The conventional workflow of an access card involves the following:

• A person is approaching the reader;
• Removing the card from their pocket;
• Placing it close to the reader.

However, FlipperZero disrupts this workflow by acting as both the reader and the card. When FlipperZero is brought near the card, it reads the signal from the card’s antenna and retrieves the data from the chip. It stores a duplicate of the data inside its chip. 

So, the next time FlipperZero is placed near a reader, it sends the copied data to the reader, mimicking the behavior of an NFC access card and system without awareness of letting the fraudster pass.

Implementing Public Key Infrastructure (PKI) becomes crucial to prevent this attack. PKI is a set of tools and practices designed to protect sensitive information during transmission or storage in electronic systems. It establishes trust between parties, prevents unauthorized access and tampering, and enables secure interactions and transactions in the digital realm.

With PKI-based access cards, FlipperZero cannot copy data. A PKI-based access card workflow involves a person approaching the reader, entering a PIN code in the terminal, and then placing the card near the reader. PKI-based cards incorporate two-factor authentication, combining the card with the PIN code.

Even if a hacker somehow manages to obtain the PIN code, they would not be able to gain access if they have the entirely copied data stored on the Flipper device. The data storage is within the Flipper device, resulting in different hashes.

The system would detect this discrepancy and prevent access. Even if the hacker tries to write the copied data onto another NFC card, it will not work because the data has been moved or replicated, resulting in changed hashes that render the organization’s private key ineffective.

National Public Key Directory: how it prevents the fraud

The National Public Key Directory (NPKD) is a comprehensive and centralized repository for digital certificates issued by government authorities. These certificates are crucial in ensuring the security and authenticity of online transactions and communications. 

By maintaining a centralized repository, NPKD streamlines the process of verifying the validity of digital certificates, promoting trust and confidence among users.

Government authorities issue these certificates to individuals and organizations, enabling them to authenticate their identities and protect sensitive information securely. With NPKD, users can easily access and verify the digital certificates they receive, mitigating the risk of fraud or unauthorized access.

The repository is regularly updated and monitored to ensure the integrity and reliability of the certificates it contains.

By cross-referencing identity documents with the NPKD, Mob.id verifies the authenticity and integrity of the documents, offering an additional layer of security and trust.

Mob.id, in addition to its other functionalities, serves as a PKI-based access card on mobile phones. It encrypts the content and signal of the virtual access card using a private key, which can be decrypted by the system using the corresponding public key.

By leveraging PKI and its associated security measures, such as multi-factor authentication (MFA)  and encrypted communication, Mob.id offers enhanced protection against FlipperZero attacks. 

Implementing Mob.id within the fintech industry ensures that digital identities remain secure and trustworthy, mitigating the potential threats posed by FlipperZero’s NFC and RFID capabilities.

Advantages of Mob.id for Access control industry

PKI-based cards are a formidable foundation for your organization, as does Mob.id technology. 

Having in place PKI, we eliminate any opportunity for hackers with FlipperZero or any other transponder that can capture signals from chips of access cards and try to replicate them to bypass the security system. 

The difference between Mob.id’s digital pass and a PKI access card is that you don’t need to purchase and set up access cards. 

Mob. id’s Digital identity is stored decentralized on an employee’s phone and protected within the keychain technology of the phone itself. 

Whenever an employee moves, they always have a strong MFA access card stored in their smartphone protected from hackers with FlipperZero.

As fintech businesses navigate the evolving landscape of digital security, it is crucial to consider the implementation of Mob.id. By adopting this cutting-edge identity verification solution, companies can enhance their security measures and protect themselves from the potential threats posed by FlipperZero and similar technologies. Prioritizing the security of digital identities is vital to building trust and ensuring a successful future in the fintech industry.