How is tap-to-pay more secure than the chip on the card?


I understand how using something like Apple Pay or whatever the android equivalent is is secure, using things like one-time-codes, but how is having a card that can do tap-to-pay secure? Couldn’t someone just copy the wireless signal it gives off and then use that in place of my card?

In: 5

> Couldn’t someone just copy the wireless signal it gives off and then use that in place of my card?

In theory, but you’d have to do the same thing as tap-to-pay. So you’d need the right equipment (which not that hard to get), and you need to be pretty close (physical contact or near to it) for a long enough time.

Do you walk around holding your card out in your hand, and ignore strangers who are pressed against you for 5-20 seconds, if no then don’t worry about it.

The information being sent by the contactless chip isn’t the entire information stored on the card. Essentially, it’s the same as a chip transaction, it’s a specific response to a specific prompt from the reader, and thus capturing the information doesn’t provide anything useful.

Phone mobile wallets will often take the idea step further and use a disposable account number just for that mobile wallet profile.

It’s not. It’s just more convenient.

However, that doesn’t mean your method will work. You’re describing something that would work if it was a magnetic stripe card, but neither chip+pin or contactless chips use this method.

Both chip+pin and contactless have a tiny processor chip inside them that is powered by the card reader. When you use it, the card reader asks the card to calculate a relatively complex math problem, using some numbers that only your card knows, and some numbers sent to the card reader by the bank.

The answer to this calculation is used by your bank (or card issuer) to verify that it’s your real card, and that it’s being read by a legit card reader by a legit business.

When the bank receives this, and it sees that the transaction is below a certain value, it’ll approve of the transaction. If it is above a certain value, it’ll ask for the PIN code for contactless as well.

Some people claim that wireless card attacks are easy to do from a distance, but it’s pretty difficult and the risk to you is low. It’ll be easy for banks to detect a “rogue” modified card terminal, and you’re likely insured against these types of attack if they should happen to you.

I’m not entirely sure how the technology is implemented in practice, but an easy way I can see it implemented is with encryption. Instead of sending a password, the password is stored on the card and never output. Instead, it receives a message, encrypts it with the stored password, outputs the encrypted message, and the receiver verifies that the encrypted message was legitimately encrypted. Transaction approved.

Edit: seems like NFC authorization flow is generally as I’ve outlined.

It’s harder to steal/skim, and in some cases it creates a temporary card number that is only good for like 60 seconds. So even if someone does get it, they can’t really use it, and it’s not linked to your other accounts/auto pay setups. That was what got me into using Samsung Pay 4-5 years ago.