NFC-CAP. Security Assessment

This paper examines the security aspects of an authentication mechanism for eBanking based on Near Field Communication (NFC), Chip Authentication Program (CAP) and Dynamic Passcode Authentication (DPA). In essence, this mechanism uses a NFC enabled mobile phone and a contact-less or dual interface card to implement a variant of the CAP/DPA unconnected mode, where the mobile phone replaces the standalone Personal Card Reader (PCR) by communicating with the card using its NFC interface. The focus on this document is the security impact of replacing the PCR with the NFC mobile phone, and the contact-only smart card with a contact-less or dual interface smart card, rather than the protocols themselves defined by CAP/DPA.

By: D. A. Ortiz-Yepes

Published in: RZ3736 in 2009


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .