17.12. Network Card Reader

A setup where a public and unattended IP device communicates with a central server is inherently prone to security breaches. Our Network Card Reader device is no exception to this rule.

Although SavaPage validates the reader's IP address, the reader could be replaced and mimicked. Also, since communication is non-SSL, the Card Number (UID) of swiped NFC Cards could be hijacked. However, since the only content transmitted is the Card Number, misuse will be limited to a Card Number being offered from an unexpected origin at an unexpected time. Since offered Card Numbers are always processed in well defined transient contexts with short time limits, the risk of unnoticed abuse can be considered minimal.

A security breach of a fundamentally different nature is the rare scenario where it is possible to manipulate the UID of an NFC Card. A hacker could then use the hijacked card number to make a duplicate authentication token.

Tip

As an extra security measure two-step authentication can be implemented by requiring an additional PIN (over an SSL connection) after the initial NFC Card authentication. See Section 4.11.3, “User Authentication” and Section 4.9.4, “Custom User Login”