Swiping your card is like telling the point-of-sale (PoS) terminal a secret password that identifies you (your credit card or bank account). The info encoded on the magnetic stripe is pretty much just the info (cc numer, exp date, cvc code) printed on the card itself, and the card reader just reads that data off the mag strip.

This is a form of what’s called *bearer authentication*, so named because the one who bears a special token is authenticated and therefore wholy trusted as the principal with whom the token is associated. A username and password are a form of bearer authentication.

The problem with bearer authentication alone is since whoever bears the credentials is trusted as you, if someone steals your username and password, you’re cooked. Likewise, if someone steals your CC info (which can also happen through PoS breaches), you’re also cooked. Your CC info is all that’s needed to fully authenticate the bearer of that info as you and authorize arbitrary transfers of arbitrary amounts to arbitrary destinations forever, for as long as the card remains valid and unexpired. It’s very much like a username and password: whoever holds the username and password can perform an unlimited number of arbitrary actions as you. And the problem is this kind of sensitive, all-powerful credentials are exchange a lot in many different places, possibly stored in many different places. The fact that bearer tokens are all powerful AND thrown around a lot and therefore sometimes likely to get stolen or get leaked makes for a bad combo. By its nature, in a bearer authentication scheme, you must hand over your all powerful credential to prove you’re you.

There is a better form of authentication, called public key authentication. There are many forms of this: various challenge-response protocols, interactive zero-knowledge proofs, zero-knowledge succinct non-interactive argument of knowledge (zk-SNARKs), etc. Physical security keys (e.g., Yubikeys) Passkeys, etc. all rely on these kinds of technologies.

At their heart they all are based on public key cryptography. For the purposes of authentication, all you need to know is a public-private key pair can be generated, and the public key is widely known to belong to you, and the private key (which you keep private) allows you to generate messages with digital signatures that prove the message was written by you (or somebody posessing the private key) and unaltered, which anyone with the public key can verify. In this process, you never actual reveal your private key. The all powerful credential is never communicated to anyone else, unlike bearer authentication, in which you must hand over the all powerful credential in order to prove you’re you. Instead you sign one-off messages written for a narrow purpose as needed with your private key.

This is how tap-to-pay works. The circuitry inside the chip (or in the secure element of your iPhone or Android for tap to pay) holds a private key that allows it to sign messages like “I, Bob am making a payment of $10 to Acme Inc. on this date and time” that only it could have produced. With its signature, such messages can be verified as authentic by the credit card network / bank, and you can therefore make payments. And if the point of sale terminal was hacked and is siphoning off all the data to an attacker, those messages are of no use, because they are only good for that one transaction on that date (they can’t be altered to authorize the transfer of a different amount to a different account, and they can’t be replayed either). Versus if you swiped your credit card, every single time, you are transmitting to the PoS terminal a secret password that if stolen is sufficient to fully authenticate the bearer to act as you and authorize any transfer of any funds anywhere at any time.