I was on a recent subway trip in New York City, when I noticed that NFC (near field communication) scanners had been installed in most of turnstiles at the Grand Central Terminal stop. These will allow commuters to use credit cards, debit cards, or devices using digital wallets to simply tap the scanners to pay their fares. By 2023 the NFC method of payment will replace the swipe card system—in which customers recharge dedicated transit authority-issue cards on a monthly, weekly or per-ride basis—that has been in place for the past fifteen years or so.
Anyone who rides the train in the Big Apple knows that the proprietary transit cards are a huge hassle. Their strips in back are easily damaged with repeated use. The scanners constantly malfunction because accumulated subway gunk and thousands of daily swipes knock their magnetic readers of whack.
Hence, my first thought on seeing the NFC scanners was, “Cool. Here’s to technology. This is an improvement.” My second thought, which bumped up against that initial positive one like a harried New York commuter during rush-hour, was, “This is scary and dangerous.” Being an author of thrillers that involve cyber-crime and cyber-terrorism, my inevitable third was, “Man, this scary and dangerous and perfect for a story.”
As to that final bit of writerly damn-the-world selfishness: It’s no coincidence that I’d been having an email conversation with a digital security expert about NFC technology and its chilling potential for spreading a computer-bug pandemic. “Nothing scares our community more than NFC,” she said. I try to get a jump on upcoming technological trends with my books, and our exchanges about NFC eventually led me to retool a specific plot thread to include it, and dramatically show how the system could be exploited by malevolent hackers.
So what’s the beef with NFC?
An easy way to understand it is to imagine how a cold or flu spreads from person to person. Somebody at the workplace has the sniffles. He might be conscientious enough to cover his mouth when he sneezes. But unless he has paddles for hands—and large ones— some of the microbial germs in his bodily fluids are going to slip through his fingers into the air. He’s also using the coffee machine, and touching desks, counters, and other surface in common areas. Each instance presents a golden opportunity for the bug that’s infected him to make the hop to a co-worker.
In metropolitan areas like New York, Chicago, London, Paris, those opportunities are exponentially amplified by sheer population density, where physical contact with germ-carriers and the things they touch is nearly unavoidable. People bump into and brush against each other everywhere. Especially on those overcrowded trains I mentioned earlier. Every time a rider grips a pole or overhead rung, he’s at risk of picking up whatever tiny, invisible creepy-crawlies were transferred to that handhold by whoever used it before him, and the dozens of whoevers before him in their daily commutes. If you’re a germophobe, a packed subway car is an existential nightmare.
I have on my bookshelf several medical texts on the interhuman transmission of plagues and pestilences, some over a century old. Over years they’ve been of tremendous use to me as a writer of suspense fiction with technological elements. They help to define and clarify the parallels between binary and biological diseases and how they spread across a population. In fact, when it comes to disease vectors, it’s all the exactly same whether we’re talking about humans, animals or laptops and smart tablets.
Devices that typically don’t have the best, latest, most updated firewalls installed … are therefore the most vulnerable to malware infection, like your smartphone, smart watch, and your tablet.Biological pathogens spread through easy interaction—direct, proximate or even through a third-party carrier—between existing and potential hosts. As the number of hosts and carriers multiplies, so does your runny nose become a local outbreak of influenza and possibly a national or global pandemic. One important thing to bear in mind: the likeliest victims of disease are those with lowered immunological defenses: the very young, the elderly, individuals already weakened by present or prior health problems.
Bringing our discussion back to NFC, the idea behind it is all about facilitating easy, contactless interaction between electronic devices. Very critically, devices that typically don’t have the best, latest, most updated firewalls installed… are therefore the most vulnerable to malware infection, like your smartphone, smart watch, and your tablet.
Infect one of the above with malicious software, let it interact with an NFC subway scanner on the ride to the office, and it can become the Typhoid Mary of some new and destructive strain of computer virus. Infect five, ten or a hundred devices that will be held near or tapped against an NFC scanner on the subway—or supermarket checkout line, ATM machine or concert venue in the case of e-tickets—and you might have a real problem.
And what if the person holding the device deliberately wants to spread what one of my characters has called a Frankenbug? What if he (or she) has packed it with polymorphic malware code—a virus, worm or trojan designed to mutate and evolve, to change its characteristics and self-replicate?
The existence of that sort of digital organism isn’t jittery apocalyptic science fiction. It’s sobering modern reality. Cybersecurity researchers estimate that 97% of the computer bugs jumping about the Internet, including the ransomware that cost businesses eight billion dollars globally in 2018, are polymorphic. Like some dark chrysalis, they can start out as one sort of bug, hibernate, and change into another very different threat.
One might argue that I’m conjuring up an excessively anxious scenario here. That while your smartphone might not have the security software installed, it does have safeguards built into its operating system, and that flaws, weaknesses and vulnerabilities in those safeguards are regularly patched by manufacturer updates to the O/S.
This is true. This is good. It’s even a bit reassuring. But the success of this tactic assumes that the cybersecurity teams working to create the patches can stay ahead of the blackhat hackers who are endlessly, furiously breeding new bugs capable of eluding and evading detection. Malware breeders who are increasingly well financed are supported by criminals, terrorists, and hostile governments.
Finally, it assumes we’re talking about the smartest of the innumerable smart devices that are constantly connecting and handshaking and generally communicating over the Internet of Things. But let’s put aside the phones and tablets for a second and consider the peripheral gadgets and Internet-ready appliances that have become so commonplace in all our lives.
Newsflash: the so-called smartpen in your hand, smart crib in the baby’s room, and automatic barista in the kitchen are really pretty dumb and lack the capacity for even rudimentary firewalls. Which makes them prime targets for malware infection, and prime carriers.
Consider, then, that the next time you hold your phone to your NFC-enabled fridge to see if you’re low on milk or butter, then use the phone to place an order with an online supermarket, then head out to the local subway and tap the phone against an NFC turnstile scanner, you may be allowing some highly contagious designer computer virus to make at least three early jumps toward becoming the electronic equivalent of the Black Death.
It ought to be enough to make us look fondly back upon at the days when our pockets rattled heavily with copper subway tokens.
Well, okay.
Almost.
