< Return to Questions
What is one-time link fraud on authentication NFC tags ?
Can a single link be copied from authentication tags onto standard tags ?
Reader - 12 Feb 2023
Reader - 12 Feb 2023
Answers
1
One-time link fraud on authentication tags is where a valid link (with auth code) is scanned from an authentication NFC tag (such as an NTAG424) and is copied to a standard tag. During this process, the copied link is _not_ authenticated on the authentication server and therefore is still 'valid'.
The first time the standard tag is then scanned, the code will validate as the authentication server will not have seen it before and it will be a valid code generated by a valid authentication tag.
However :
1. The second time the standard tag is scanned, it will fail authentication.
2. If the auth tag is scanned correctly before the standard tag is used, the standard tag will fail authentication.
3. It would be pointless to scan more than one auth code and copy in this way - unless you knew for sure the order in which the copied tags were going to be scanned. This is because any scan of a later code will invalidate all the previous codes.
So the question raised is whether this is a 'flaw' or not. And the answer is that it depends on the use case. In some ticketing instances or single use vouchers, it may be. In the majority of other cases, it won't as any duplicate scans will highlight the problem instantly.
Importantly, to exploit the flaw, access to the original genuine tag is required so that a scan can be retrieved. Therefore, for example, to create a fake tag in a fake handbag, the original genuine handbag would be required. And even then, any scan of the original or double scan of the fake will render the whole process pointless.
Essentially, a double scan is all that is required and for anti-counterfeit use cases, this flaw is unlikely to be of any issue at all.
Our ixkio tag management software is designed with built in intelligent scan monitoring. If the software considers any risk to a scan due to unusual activity, it will ask the user to scan again. In doing so, any onetime fraud will be instantly detected.
Seritag - 12 Feb 2023
The first time the standard tag is then scanned, the code will validate as the authentication server will not have seen it before and it will be a valid code generated by a valid authentication tag.
However :
1. The second time the standard tag is scanned, it will fail authentication.
2. If the auth tag is scanned correctly before the standard tag is used, the standard tag will fail authentication.
3. It would be pointless to scan more than one auth code and copy in this way - unless you knew for sure the order in which the copied tags were going to be scanned. This is because any scan of a later code will invalidate all the previous codes.
So the question raised is whether this is a 'flaw' or not. And the answer is that it depends on the use case. In some ticketing instances or single use vouchers, it may be. In the majority of other cases, it won't as any duplicate scans will highlight the problem instantly.
Importantly, to exploit the flaw, access to the original genuine tag is required so that a scan can be retrieved. Therefore, for example, to create a fake tag in a fake handbag, the original genuine handbag would be required. And even then, any scan of the original or double scan of the fake will render the whole process pointless.
Essentially, a double scan is all that is required and for anti-counterfeit use cases, this flaw is unlikely to be of any issue at all.
Our ixkio tag management software is designed with built in intelligent scan monitoring. If the software considers any risk to a scan due to unusual activity, it will ask the user to scan again. In doing so, any onetime fraud will be instantly detected.
Seritag - 12 Feb 2023
What is an NFC Tag ?
A quick intro to NFC tags - what they are, how they are used and the different types of tags
A quick intro to NFC tags - what they are, how they are used and the different types of tags
Options price list
Pricing for our encoding, scanning, ID printing and batching services.
Pricing for our encoding, scanning, ID printing and batching services.
NFC Tag encoding
Details of our NFC tag encoding services.
Details of our NFC tag encoding services.
ID printing
How to order ID / QR code printing on your NFC tags.
How to order ID / QR code printing on your NFC tags.
UID scan
How you can order a UID scan of your NFC tags.
How you can order a UID scan of your NFC tags.
Latest Articles
Seritag News
New NFC Cable Tie and NFC Wristband Starter PacksNew cable tie and wristband starter packs
Industry News
Seritag launch Lumiio - instant access to essential personal informationSeritag launch Lumiio for essential personal info
Seritag News
How long do NFC products really last outdoors? We put them to the test!To find out how well our products hold up over time, we left them outside our UK office for three years in all kinds of weather. Discover which ones stayed strong, which ones didn’t, and what we’re te
Using NFC
Using NFC Tags in Churches for Donations and InteractionDiscover how churches are using NFC technology to increase donations, interact with the younger generation and interact with their community.
Industry News
How will adding RAIN RFID to mobile phones impact the market ?A discussion on RAIN UHF in mobile devices
Using NFC
Seritag Encoder AppLearn the key features of our new Seritag Encoder App. Encode, read and lock NFC tags yourself using your mobile phone for free!
1,806 reviews- Email: mail@seritag.com
- Tel: + 44 (0) 20 3773 2791