Category Archives: Security

Near Field Communication, QR codes and smart posters

Yesterday evening I went to the sixth round of Tech Talks in Bristol. One of the talks was on Near Field Communications (NFC) and, specifically, the use of NFC phones and “smart” posters.

What is Near Field Communication?

Near Field Communication (NFC) is just a set of standards that allows devices to establish radio communication between each other when they come into close proximity. A common example is that of NFC chips in credit cards which means you can just place them close to a payment terminal to make the payment (rather than having to swipe your card).

Many smart phones are NFC capable and the NFC also allows the phones to read passive Radio-frequency identification (RFID) tags. RFID tags can have URLs encoded in them so, when you touch your smart phone on the RFID tag your phone browser goes off to that web site.

Smart posters

There are many applications for NFC and RFID but the main application being discussed in the talk was within “smart” posters. The idea being that you place your passive RFID tag on the poster. Consumers then tap their phone on the relevant bit of the poster and they can then be directed to visit a web site, get a discount coupon, download your app etc, etc. The value to the advertiser would then be a means to request additional information from the user to identify who they are (often by means of them interacting with your web site or app).

I think my biggest question about smart posters is; who does this benefit?

It’s easy to suggest it’s good for the consumer. For example, by tapping the poster they might get a discount or they learn about what’s going on at a venue being advertised at that moment in time. However, are consumers motivated to go up to a poster and tap their phone against it to find out more? NFC only works over a short distance so the phone does have to be very close (within a few centimetres) to the poster.

Conventional posters need to be able to grab someone’s attention and give them all the information they need from a distance. Do smart posters offer enough incentive to change the “view from afar” behaviour?

Security

I’m also  concerned about the security of this sort of communication (and related things like QR codes). Tapping your phone against something means that you don’t know where the phone’s browser is being directed until you’re already there. You can lock RFID tags to prevent tampering with that particular tag but that’s not a solution. What would stop someone replacing the RFID tag on a poster altogether, that’s much easier than tampering with the one that’s there?

Consumers tapping their phone against a poster for some company might reasonably expect to then log in to that company’s site if they’re already a customer. An unscrupulous person replacing an RFID tag (or sticking a home printed QR code over the top of an original one) on a poster would be able to phish details and I think many consumers would struggle to spot that phishing was taking place.

It’s just my opinion but I think the only reason we’ve not seen more of this sort of behaviour to date is that QR codes and RFID/NFC (in this context) are not things that many people are commonly using. Consequently there’s little point in nefarious people spending any time exploiting them (yet). In some situations people are more motivated to use them but even then the numbers seem low. For example, there are 300 scans of QR codes per day for bus information in London but those buses carry 6 million passengers per day.

Aside from the security risk of phishing, would companies be happy to expose themselves to guerilla consumers? For example, a sufficiently motivated person might stick their own QR codes over the top of the ones on posters for, say, a coffee outlet that avoided paying tax. Their own codes might direct people to the website for an independent establishment close by. The change might go undetected for months.

Posters are a passive, fire-forget media and making them smart without having a mechanism to spot tampering is, I think, a big risk.

Advertisers only?

I do think that, in the context of smart posters etc, the technology predominantly benefits advertisers. They’re a means for them to extract information from potential customers in a largely passive manner and they can use the scan rates to determine what poster locations are popular. One other selling point is that advertisers can change the final location of where the consumer’s phone browser is sent without changing the RFID tag (presumably through simple redirection server-side). However, won’t the same poster in the same location for long periods of time mean that regular “passers by” will eventually start ignoring it? There is, of course, no outward indication that anything has changed.

Given how cheap it is to print large numbers of ‘normal’ posters I’d imagine the addition of an RFID tag would significantly raise that cost. As a result these posters would have to last many times longer to be cost effective. This isn’t the normal approach for posters as they are, by the nature of the material used, unlikely to last that long.

So, my view is that whilst NFC is great for contact-less payments etc and QR codes might be useful on things like food packaging I remain unconvinced about the idea of a smart poster. It does seem to predominantly benefit the advertiser; for it to work for consumers it requires a change in how they interact with posters and that seems unlikely to me.