It’s amazing how much NFC stuff is still badly done - and how bad the response to discoveries is. I recently got a police report filed against me here in Finland for pointing out that guarding personal details of kids and parents on a phone used in daycare by an empty tag, just by the tags UID is probably a stupid idea.
It doesn’t surprise me, the vendor probably thinks they’re Agile, their team delivered a Minimum Viable Product and then their Management sold it. Security was always meant to be in a future Sprint.
If that model works for web services, it ought to work for anything, right?
Merriam Webster defines “agile (technology)” as “synonym for trash”.
If teens can hack your stuff, you should be really thankful to find out they did, because our stuff is insecure as fuck then.
