I understand how using something like Apple Pay or whatever the android equivalent is is secure, using things like one-time-codes, but how is having a card that can do tap-to-pay secure? Couldn’t someone just copy the wireless signal it gives off and then use that in place of my card?
In: 5
It’s essentially the same technology, just a different method of powering the chip. In both cases, the terminal sends a message to the chip that depends on the specific transaction, then the chip sends back a response authorizing the transaction. The terminal provides the power for the chip.
Afterwards, the terminal sends the response to the bank, who checks that the transaction was authorized by the chip. A terminal could replay a transaction using the authorization a second time, but then the bank wouldn’t do the transaction twice.
In contrast, a swipe is much less secure, since it just reads the same information off the card for every transaction. If you get that information, you can fake whatever transactions you want.
One *potential* difference between inserting a chip and tapping it is the method of power delivery. There are some clever attacks where a terminal can watch how much power the chip uses in order to steal the secret information that the chip is using to authorize transactions. It may be possible that differences in the power delivery method might make this more or less difficult, but that is harder to say.
Latest Answers