It’s essentially the same technology, just a different method of powering the chip. In both cases, the terminal sends a message to the chip that depends on the specific transaction, then the chip sends back a response authorizing the transaction. The terminal provides the power for the chip.

Afterwards, the terminal sends the response to the bank, who checks that the transaction was authorized by the chip. A terminal could replay a transaction using the authorization a second time, but then the bank wouldn’t do the transaction twice.

In contrast, a swipe is much less secure, since it just reads the same information off the card for every transaction. If you get that information, you can fake whatever transactions you want.

One *potential* difference between inserting a chip and tapping it is the method of power delivery. There are some clever attacks where a terminal can watch how much power the chip uses in order to steal the secret information that the chip is using to authorize transactions. It may be possible that differences in the power delivery method might make this more or less difficult, but that is harder to say.

It’s essentially the same technology, just a different method of powering the chip. In both cases, the terminal sends a message to the chip that depends on the specific transaction, then the chip sends back a response authorizing the transaction. The terminal provides the power for the chip.

Afterwards, the terminal sends the response to the bank, who checks that the transaction was authorized by the chip. A terminal could replay a transaction using the authorization a second time, but then the bank wouldn’t do the transaction twice.

In contrast, a swipe is much less secure, since it just reads the same information off the card for every transaction. If you get that information, you can fake whatever transactions you want.

One *potential* difference between inserting a chip and tapping it is the method of power delivery. There are some clever attacks where a terminal can watch how much power the chip uses in order to steal the secret information that the chip is using to authorize transactions. It may be possible that differences in the power delivery method might make this more or less difficult, but that is harder to say.

It’s harder to steal/skim, and in some cases it creates a temporary card number that is only good for like 60 seconds. So even if someone does get it, they can’t really use it, and it’s not linked to your other accounts/auto pay setups. That was what got me into using Samsung Pay 4-5 years ago.

It’s harder to steal/skim, and in some cases it creates a temporary card number that is only good for like 60 seconds. So even if someone does get it, they can’t really use it, and it’s not linked to your other accounts/auto pay setups. That was what got me into using Samsung Pay 4-5 years ago.

I’m not entirely sure how the technology is implemented in practice, but an easy way I can see it implemented is with encryption. Instead of sending a password, the password is stored on the card and never output. Instead, it receives a message, encrypts it with the stored password, outputs the encrypted message, and the receiver verifies that the encrypted message was legitimately encrypted. Transaction approved.

Edit: seems like NFC authorization flow is generally as I’ve outlined.

I’m not entirely sure how the technology is implemented in practice, but an easy way I can see it implemented is with encryption. Instead of sending a password, the password is stored on the card and never output. Instead, it receives a message, encrypts it with the stored password, outputs the encrypted message, and the receiver verifies that the encrypted message was legitimately encrypted. Transaction approved.

Edit: seems like NFC authorization flow is generally as I’ve outlined.

It’s not. It’s just more convenient.

However, that doesn’t mean your method will work. You’re describing something that would work if it was a magnetic stripe card, but neither chip+pin or contactless chips use this method.

Both chip+pin and contactless have a tiny processor chip inside them that is powered by the card reader. When you use it, the card reader asks the card to calculate a relatively complex math problem, using some numbers that only your card knows, and some numbers sent to the card reader by the bank.

The answer to this calculation is used by your bank (or card issuer) to verify that it’s your real card, and that it’s being read by a legit card reader by a legit business.

When the bank receives this, and it sees that the transaction is below a certain value, it’ll approve of the transaction. If it is above a certain value, it’ll ask for the PIN code for contactless as well.

Some people claim that wireless card attacks are easy to do from a distance, but it’s pretty difficult and the risk to you is low. It’ll be easy for banks to detect a “rogue” modified card terminal, and you’re likely insured against these types of attack if they should happen to you.

It’s not. It’s just more convenient.

However, that doesn’t mean your method will work. You’re describing something that would work if it was a magnetic stripe card, but neither chip+pin or contactless chips use this method.

Both chip+pin and contactless have a tiny processor chip inside them that is powered by the card reader. When you use it, the card reader asks the card to calculate a relatively complex math problem, using some numbers that only your card knows, and some numbers sent to the card reader by the bank.

The answer to this calculation is used by your bank (or card issuer) to verify that it’s your real card, and that it’s being read by a legit card reader by a legit business.

When the bank receives this, and it sees that the transaction is below a certain value, it’ll approve of the transaction. If it is above a certain value, it’ll ask for the PIN code for contactless as well.

Some people claim that wireless card attacks are easy to do from a distance, but it’s pretty difficult and the risk to you is low. It’ll be easy for banks to detect a “rogue” modified card terminal, and you’re likely insured against these types of attack if they should happen to you.

The information being sent by the contactless chip isn’t the entire information stored on the card. Essentially, it’s the same as a chip transaction, it’s a specific response to a specific prompt from the reader, and thus capturing the information doesn’t provide anything useful.

Phone mobile wallets will often take the idea step further and use a disposable account number just for that mobile wallet profile.

The information being sent by the contactless chip isn’t the entire information stored on the card. Essentially, it’s the same as a chip transaction, it’s a specific response to a specific prompt from the reader, and thus capturing the information doesn’t provide anything useful.

Phone mobile wallets will often take the idea step further and use a disposable account number just for that mobile wallet profile.