Comments

You must log in or register to comment.

DiamondIceNS t1_ja795w8 wrote

To explain how the apps work, we need to understand how chips and contactless cards work.

Credit and debit cards are essentially just reusable check blanks. Written on them, you have the account number of the person trying to send money and the name of the account holder. When using the card to buy something at a shop, the payment computer has the account of the ones receiving the money (the shop) pre-programmed into it, and the employee at the till has punched in the amount to be sent. This is basically all the necessary components of a check. The payment computer phones up the bank with this info to request a transaction, and if the bank computer responds, "Looks great, we'll get that sorted!" the payment goes through and the terminal shows it as paid.

The magnetic strip on older cards is more or less just the info printed on the card, digitized, so the sale computer can read it quickly and mistake-free. Swiping a card is, for layman's purposes, hardly different than just punching in the data printed on the physical by hand, with a magic spellchecker that can tell if you typo'd it.

Now, if that's all a credit card actually was, just a name and account number, it'd be very easy to steal. So they have security built into them to make sure that only the rightful owner is using them. Basically, give the cardholder a test to prove it's actually them.

The oldest (and stupidest) form of this is the signature. The idea is that the card holder writes their signature on the physical card. Then, when making a sale, the cardholder also signs the receipt. The cashier should take the card and receipt, look at the two, and only allow the sale if the two match. The hope here is that A) your signature always looks the same every time you write it and B) only you can write it the way you do, no one could ever copy it. So if the signatures match, you must be the cardholder.

A much better solution is a PIN. It's basically just a tiny password that only the cardholder should know. If someone steals the card (or even just the numbers on the card), but do not know the tiny password, they can't use the card.

This idea is taken to the next level with a chip. In addition to giving you a PIN to memorize, the credit card company makes two identical copies of a tiny computer. One gets embedded into your card, and they keep the other. When you attach wires to this tiny computer and power it on (which is what inserting your chip into a chip reader actually does), you can send it some gibberish data, and it will answer back with more seemingly unrelated gibberish data. The key, though, is that every time you ask it the same gibberish question, it replies back with the same gibberish answer. So, when you insert the chip into a chip reader when making a sale, the card network can come up with a gibberish question, send it to your card's chip, and get the gibberish response back. It then asks the same gibberish question to the copy they have on hand. If the answers are the same, it must mean you have the chip, and by extension you must also have the physical card.

The beauty of the chip solution is that even if an eavesdropper somehow was listening to the conversation between the card company and the chip, and they overhear the gibberish question and answer, it's useless to them. That's because even if they technically know the "answer" to one of the gibberish questions, the card company will never ask that question again. All questions are single-use, and thus so are all answers. The only way to truly spoof the card is to be able to know every possible answer to every possible question. Or in other words, physically have the chip. So the chip effectively defends against people who know your numbers, but haven't physically stolen the card. A PIN is still required to defend against physical card theft.

Contactless tap is basically the same as chip, just done over radio waves instead of wires. This makes it easier to eavesdrop, but as we established already, eavesdropping on a chip payment isn't all that helpful to a thief, so we don't really care about that!

Now, finally, the payment apps. When you install a payment app and register a card to it, what you are essentially doing is turning your phone/watch/whatever into a credit card chip. The credit card company creates a secret program that works like a chip--takes a gibberish question in, gives a gibberish answer back--and installs a copy of it to your device. So when you tap your device to the reader, it gets asked a gibberish question, it creates a gibberish answer, and radios it back to the terminal, just like a chip. This proves that you have the physical device. It doesn't prove you have the physical card, but registering the card in the app in the first place did prove that you must have had it at some point, which is good enough.

18

Bensemus t1_ja9r9ed wrote

> Contactless tap is basically the same as chip, just done over radio waves instead of wires. This makes it easier to eavesdrop, but as we established already, eavesdropping on a chip payment isn't all that helpful to a thief, so we don't really care about that! > > Now, finally, the payment apps. When you install a payment app and register a card to it, what you are essentially doing is turning your phone/watch/whatever into a credit card chip. The credit card company creates a secret program that works like a chip--takes a gibberish question in, gives a gibberish answer back--and installs a copy of it to your device. So when you tap your device to the reader, it gets asked a gibberish question, it creates a gibberish answer, and radios it back to the terminal, just like a chip. This proves that you have the physical device. It doesn't prove you have the physical card, but registering the card in the app in the first place did prove that you must have had it at some point, which is good enough.

Another bit of security for tap purchases is a low limit. If I use my CC's chip I can do a transaction worth the entire limit on the card. However if I tap I can only do idk $100, $250? Somewhere in there.

1

ZuperLucaZ t1_ja74ybf wrote

An NFC is a signal, your card emits that signal which acts like a password to your bank account.

Instead, your phone can scan and copy this signal, and then emit it themselves to mimic this code and appear to be the card doing the work

Security risks, sure, but it’s way riskier using you card since that’s always emitting the signal, your phone is not

2

travelinmatt76 t1_ja7yddx wrote

Mythbusters were going to film an episode on the security flaws of RGID chips in credit cards, but every major credit card company said they would pull their ads off the Discovery Channel if the episode aired.

https://youtu.be/-St_ltH90Oc

1

Bensemus t1_ja9rmc6 wrote

> it’s way riskier using you card since that’s always emitting the signal

It's not. The card has no power. The power is wirelessly sent to the card when you are tapping it.

If you bring the proper device close to the card it will start talking vs your phone which needs the CC or debit card first opened before it bothers looking for a terminal to talk to.

1

ZuperLucaZ t1_jacvxq0 wrote

Exactly, that’s what I meant, this is a subreddit for dumbing down answers to make the answer digestible, both our descriptions are practically the same

The point of the last paragraph was to state that the phone can’t always be scanned while you card can

1

homeboi808 t1_ja7ar8t wrote

If you are American then I assume you know about the mag stripe on the back. Think of chip cards as storing the same data as a mag stripe but it also changes the codes every use, and the previous codes can’t be used by your card again; this way even if someone gets that info, it’s useless. As for tap to pay (card or phone), it’s just a wireless version of the chip.

1