< Return to Questions
What is one-time link fraud on authentication NFC tags ?
Can a single link be copied from authentication tags onto standard tags ?
Reader - 12 Feb 2023
Reader - 12 Feb 2023
Answers
1
One-time link fraud on authentication tags is where a valid link (with auth code) is scanned from an authentication NFC tag (such as an NTAG424) and is copied to a standard tag. During this process, the copied link is _not_ authenticated on the authentication server and therefore is still 'valid'.
The first time the standard tag is then scanned, the code will validate as the authentication server will not have seen it before and it will be a valid code generated by a valid authentication tag.
However :
1. The second time the standard tag is scanned, it will fail authentication.
2. If the auth tag is scanned correctly before the standard tag is used, the standard tag will fail authentication.
3. It would be pointless to scan more than one auth code and copy in this way - unless you knew for sure the order in which the copied tags were going to be scanned. This is because any scan of a later code will invalidate all the previous codes.
So the question raised is whether this is a 'flaw' or not. And the answer is that it depends on the use case. In some ticketing instances or single use vouchers, it may be. In the majority of other cases, it won't as any duplicate scans will highlight the problem instantly.
Importantly, to exploit the flaw, access to the original genuine tag is required so that a scan can be retrieved. Therefore, for example, to create a fake tag in a fake handbag, the original genuine handbag would be required. And even then, any scan of the original or double scan of the fake will render the whole process pointless.
Essentially, a double scan is all that is required and for anti-counterfeit use cases, this flaw is unlikely to be of any issue at all.
Our ixkio tag management software is designed with built in intelligent scan monitoring. If the software considers any risk to a scan due to unusual activity, it will ask the user to scan again. In doing so, any onetime fraud will be instantly detected.
Seritag - 12 Feb 2023
The first time the standard tag is then scanned, the code will validate as the authentication server will not have seen it before and it will be a valid code generated by a valid authentication tag.
However :
1. The second time the standard tag is scanned, it will fail authentication.
2. If the auth tag is scanned correctly before the standard tag is used, the standard tag will fail authentication.
3. It would be pointless to scan more than one auth code and copy in this way - unless you knew for sure the order in which the copied tags were going to be scanned. This is because any scan of a later code will invalidate all the previous codes.
So the question raised is whether this is a 'flaw' or not. And the answer is that it depends on the use case. In some ticketing instances or single use vouchers, it may be. In the majority of other cases, it won't as any duplicate scans will highlight the problem instantly.
Importantly, to exploit the flaw, access to the original genuine tag is required so that a scan can be retrieved. Therefore, for example, to create a fake tag in a fake handbag, the original genuine handbag would be required. And even then, any scan of the original or double scan of the fake will render the whole process pointless.
Essentially, a double scan is all that is required and for anti-counterfeit use cases, this flaw is unlikely to be of any issue at all.
Our ixkio tag management software is designed with built in intelligent scan monitoring. If the software considers any risk to a scan due to unusual activity, it will ask the user to scan again. In doing so, any onetime fraud will be instantly detected.
Seritag - 12 Feb 2023
What is an NFC Tag ?
A quick intro to NFC tags - what they are, how they are used and the different types of tags
A quick intro to NFC tags - what they are, how they are used and the different types of tags
Options price list
Pricing for our encoding, scanning, ID printing and batching services.
Pricing for our encoding, scanning, ID printing and batching services.
NFC Tag encoding
Details of our NFC tag encoding services.
Details of our NFC tag encoding services.
ID printing
How to order ID / QR code printing on your NFC tags.
How to order ID / QR code printing on your NFC tags.
UID scan
How you can order a UID scan of your NFC tags.
How you can order a UID scan of your NFC tags.
Latest Articles
Industry News
Digital Product Passports - What are they? Discover the fundamentals of Digital Product Passports: their definition, implementation process, and their compatibility with your products.
Opinion
STMicroelectronics Launches ST25TA-E Authentication NFC TagWill STMicroelectronics launch of the ST25TA-E take the crown from NXP's NTAG424 ?
Seritag News
NHS chooses ixkio to support mental wellbeing of their staffNFC hangtags powered by ixkio are being used by NHS trust to help wellbeing amongst staff.
Using NFC
NFC for Events & Trade ShowsWhat are the best NFC products to use at trade shows, how they work and why are they gaining popularity?
1,806 reviews- E: mail@seritag.com
- T: + 44 (0) 20 3773 2791