Why Tap-to-Pay Is Safer Than a Credit Card Swipe | WSJ Tech Behind
Вставка
- Опубліковано 9 чер 2024
- From Apple iPhones to New York City subway turnstiles, tap-to-pay use in everyday American life is growing, thanks in part to its security and ease of use. But tap-to-pay and its small near field communication antennas are more complicated than they look.
WSJ takes you inside one of Square’s card readers to break down the tech that works in seconds to power contactless payments.
0:00 How are contactless payments made possible?
0:37 How near field communication antennas work to create tap-to-pay tech
4:29 The history of tap-to-pay technology
5:48 How contactless payments are expanding into more parts of everyday life
Tech Behind
'The Tech Behind' explores the amazing engineering, computing, science and algorithms that power our favorite tech.
#TapToPay #Tech #WSJ
Tap to pay has been so widespread in Canada for almost 10 years now. It always surprises me to go down south and having to insert my card or still sign my name. I can’t remember the last time I did the that in Canada
Same here in the U.K. I have been completely cashless since 2019 as most retailers have contactless payment methods.
I live in I’d say one of the Top ~15 largest city in Mexico, it always bothers me that the vendors DO have contactless card readers and the contactless payment sign in their counter yet they ask me to insert my card. Like I just wanna buy this bag of chips and a coke, let me just tap my card and go
It's almost impossible to go anywhere in Australia without "pay wave" or tap to pay being available, then I moved back to New Zealand and it's still slowly becoming more wide spread, but still more widespread than I remember in the US. I was really shocked in the US to swipe my card from New Zealand and only need to sign a piece of paper, I'd always seen it happen on American TV shows and didn't realize it was a real thing.
I was travelling in US in 2013 when I was at an American restaurant that still uses the carbon printing of credit card numbers (by pressing the card against a carbon paper). Omg I was so amazed! Being in my late 30s I have never seen that kind of antique payment method
@@BlairAnsor I use my ohone
Given how the US is seen as a leader in tech, its surprising how they lag behind in things like payment technologies. They were behind to adopt chip and pin, now theyre again slow to adopt contactless. Here in the UK Ive been paying using contactless (with my phone) for years.
Yes I agree it's surprising. I remember banks offered cards with NFC back in 2014 and when I replaced the card, the new one came without it. Basically new tech in payment systems just doesn't take off like in other countries. I think part of it is also due to the preference people have to pay with a credit card. Usually these technologies like chip & pin is to make it more secure to take money directly from your bank account, whereas in the US, people like to pay with a credit card because they get points or cash back for using the card, and pretty much all credit cards offer fraud protection, so if you had any fraudulent transaction you just call the credit card and they take it off, you can even do that on the app now, and they send you a new credit card in a day or two. So there isn't really much incentive for people to look for more secure payment methods. But it's now taking off and I think it's mostly because of the speed though
key word here is "seen"....it's an illusion 😉
10 years in my case
Lol it’s been around in the US for more than 10 years. What are u talking about?
@@timoooo7320 Credit cards have been contactless just as long as debit cards
Australia was an early adopter of tap and pay as well as payment via phones and watches. I think the key was that the machines are not owned by the businesses instead they are provided as part of the package with the vendors bank. This means that the banks could push the technology out and our lifestyle of carrying minimal amounts of things when out on the weekend etc made it appealing
Yes, but we do need to catch up with enabling tap to pay on public transport systems (I'm looking at you, Victoria!).
Same in Europe, payment terminals are usually owned by the bank the business uses. Whenever the bank decides they just come and change them to a newer model.
@@GeeEee75but we have myki on andriod phone. Top up when walking to the station or use the auto top feature. Not sure if Apple users have this though...
Banks still haven't adopted 2FA so I wouldn't bet on them being the forerunner of anything else.
Myki is about to change because it fell behind, particularly for visitors. In Sydney one can simply tap a credit card or phone on public transport to use public transport. The fare charged is exactly the same as using an Opal card. Melbourne does not have this and it is very inconvenient.
One correction on the video: The NFC chip that stores your card's data is actually not visible. It's hidden inside your card just like the NFC antenna. The visible chip highlighted in this video is specifically for transactions where your card needs to be inserted in the reader.
no, what you see are just the contacts, the chip is below what is visible and in 99,99% of cards, that's the same chip for both nfc and chip & dip/sign/pin transactions
Guess what's on the back of that visible chip bruh
@David Daniel Wouters No? You say the same thing I just said, and then say no, lol.
@Joonil Oh its still technically a different chip bro.
@@kevindavis8762 And the back of a penny is technically a different coin too, right?
One more thing In India All NFC Enabled phones can work as Payment Machines for small businesses. If you just have a current account with any bank. No set-up fees or any one-time or monthly fees for the business owners. Just the processing fees.
Nice
I feel like those fees are what's stopping shops in my third world country from setting up NFC payments.
HSBC bank
I have never seen any small/big business using NFC via phone in Pune. Can you tell which network you imply and in which city?
No ones using them here
What people don't get about magstripe is that all your data is recorded on the stripe (like music on a cassette tape) and easy to read. To clone a credit card's magstripe, you just have to read the stripe and write it to another card. You get a perfect copy.
But with chip and pin (and tap and pay - although the mechanism is a bit different) on the chip, there's a section of memory called "write-only memory" where a cryptographic key (half of a pair) is stored. It's called "write only" because you can write to it, but only the processor inside the chip can read it and even then, not directly. There's no reasonable way for a cloner to get the data back out short of decapping the chip (removing the top of it, also known as delidding) and using microprobes to trace the circuits while making a request.
The write only memory is attached to a dedicated crypto processor which cannot be asked for the key, rather you give it data and it either encrypts or decrypts using the key in write only memory and then returns the result.
Because of how PKI (the system for the keys) work, there are two half keys - A and B and because of the maths involved, if you encrypt a message with A, ONLY B can decode it and if you encode it with B, ONLY A can decode it. If you have either A or B, it's extremely difficult to figure out the other key (it would take hundreds of years minimum even with the most powerful computer, although quantum computers may change that).
Your card has one of the two keys assigned to the card (A) - the bank has the other (B) - so when you tap, the terminal picks a random number, asks your card to encrypt it with A, then sends that encrypted message to the bank which then decrypts the message using your B key. It then re-encrypts the message using your B key and sends that back. Remember, if you encrypt with A ONLY B can decrypt, and if you encrypt with B, ONLY A can decrypt. So if the card is valid, the card encrypts it with A which the bank can decrypt with your B. It never looks at the content - it just re-encrypts it with the B key and sends that back. ONLY your A key - the one on the card can decrypt it. And that results in the original random number that was sent. If they match, it's valid.
There are very few known ways to trick this system. There was a bug in the early version of the system that, if the attacker got the timing just right, could inject a repeat purchase into the pay terminal (it wasn't a bug with the card) that would look like the first purchase and cause two payouts, but the attacker had 45 seconds to complete it, and the bug has since been patched.
Most attacks actually copy the magstripe and then make it look like the tap and pay or the chip card has failed to get you to fallback and use the magstripe.
What about people using Flipper Zero? Can they bypass this?
Are you in IT security?
@@MMALifestyle1972 He doesn't have to be. A decent dev will know how simple PKIs work.
All of this and it's still laughably easy to clone a card's chip.
Happens even on your bank's ATM.
You so smart!!! 😮
It always felt so backwards to go from Europe to the US, where people still used swipe & sign instead of chip & pin, let alone contactless. Glad to see that it finally reached the other side of Atlantic :)
Now how about paying service workers at least a minimum wage and stop making people pay 20%+ tips for everything? :)
totally.
i been using NFC in Europe for what seems like a decade.
entering the Ewe, Es and Aye, feels like arriving in a third world country by comparison (in more ways than one)
As an American, I am glad we finally have it, and I only have to carry my phone now. Especially since now we have our ID cards in Apple Wallet! As for 20% tips, that is still a painful part of my day!
surprised that Europe has this type of technology. Didn't Europeans use cash most of time?
@@scuthan Europe, Canada and the rest of the world i've seen have had tap payment options for 10-15 years. The US is the only country I've ever swiped a credit card.
@@austinbrass Not really, the reason you were able to swipe a card in the US is probably because your credit card was issued by a foreign bank. POS machines here started rejecting credit cards with chips issued by US banks at least 10 yrs ago. As for tap payment options, they became available everywhere overnight ever since apply pay and google pay came out. We never found the payment options in Europe convenient when i visited there before the pandemic. chip-and-pin is too much hassle even compared with swiping and the people are just using the good old cash
Ever since I was a kid I've heard about how dangerous swiping you card can be. So its amazing that it took well over a decade since hearing this for the U.S. to widely adopt something like tap-to-pay in which it is considerably safer to use your card, especially after hearing the statistics every year on how much money is lost due to fraud/stolen credentials
You are not responsible for fraudulent transactions, so it’s NOT DANGEROUS!!!!!!!
Up to a point AFAIK. What do people do if they got their info stolen and the hacker spent past that point?
@@johnp139 But somebody is paying for it. Usually it's the bank or merchant. So you (and everybody else) pay for it in higher fees and higher costs for everything you buy.
Lies again? Tesla Porsche USD SGD
Also, getting your card swiped is not that great.🤣
The NFC tech is actually really useful… far more than just this kinda stuff.
Do you recommend some products or readings?
What are some real world uses tho. Because I can’t think anything other than an NFC tag that enables a command, but you could do the same without it lol
I’m wondering what you’re referring to. Mostly I can think of authentication purposes because there’s minimal data that can be passed back and forth.
WJS forgot to mention these facts
1) Bluetooth and Wi-Fi offer better range and faster transfer speeds
2) NFC can store loyalty cards, tickets, passes, and even transit fare cards (not all transit cards work) not to mention home, car and hotel keys
3) Future might have the ability to exchange money between users/phones
4) A digital wallet can possibly hold everything from payment cards to concert tickets
5) TSA is on board with NFC terminals (more in Future) for ID's
6) Pair headphones like Sony's WF-1000XM3
7) Buy NFC tags for under $20 and the world is your oyster (Nintendo Switch with Animal Crossing)
8) You need at least iOS 15 or android 10 to use NFC security features
9) Ultra Wideband (UWB) might dethrone NFC (think about Smart Tag tracking devices)
10) Contrary to those who say it drains battery. Unless you really keep using it the draw on power is negligible
NFC used to be used for transferring files
The only issue for tap to pay for me is that there are payment terminals that don’t tell you where to tap specifically. I have to move my card around to figure where to tap on the terminal that don’t have the symbol to pay
Ha ha, I was thinking exactly that. You can waste several seconds tapping your card on every surface of the reader, trying to get your card to scan. And it feels like you're somehow the idiot for not getting it right first time 😂
I’ve never used swipe. Tap to pay has been a thing in Europe for ages, especially in the UK, it’s very rare not to have it, even nearly all tiny businesses have it.
Try INDIA UPI scan from your phone and pay
Something i think you missed is that the active device is actually providing a small amount of power to the passive device to receive information, since the passive device actually has a micro processor in it that stores the information, and in order for it to be sent it requires power.
I tap to watch this video to actually try to confirm this, because when I was still in school in Hong Kong more than 20 years ago when the Octopus smart transit card was introduced, I think I read about it taking induction current from the reader, that fascinated the very nerdy kid I was (still is really!). I then always wonder if contactless credit cards today works in similar fashion.
To be more accurate, the terminal is always emitting a radio signal. When you bring your card in range, the antenna in the card turns that radio signal in a small current (that's literally have a radio works) and that tiny signal is enough to power the chip. As long as the card is in range, the card stays powered and has enough power to both process the request and transmit a signal that the terminal can read. BTW, that's why the antenna in the card is so big.
Actually, the electromagnetic radiation conducts through the card's antennae to provide a small electric current to trigger the broadcasting of the card's data to the active reader.
It's similar to how you can use metal antennae to get a small current to your TV to watch broadcast television.
I think you all are wrong.
In the video it is stated that the card must be within 4 cm to activate the transfer of information.
This says to me; that the card is static as they say and the information on the card/chip is available at ALL times.
Remember when this tech was being sold to the US; people were freaking out that someone with a reader could stand behind you and 'charge' your card.
Hence the need for very close contact.
The card is static and contains information that can be read.
It doesn't need power of any kind.
Just like the mag stripe....
Mark of the beast coming soon
What I like best about tap to pay is how cheap it is to implement for very small businesses. About 90% of the people who have stalls at my local farmer’s market have a Square device.
The best explanation on the topic I have seen to date. WSJ knocks it out of the park again 👏
THE WAY I WENT TO CHECK THE DATE THIS VIDEO WAS UPLOADED!! 😲
*giggles in UK*
That short distance is not because of the frequency but power of the signal being generated. Obviously that is by design. RFID works at the same frequency but can go distances of above 10 cm
Or more, much more.
Here in Latinamerica tap-to-pay is a big security breach. It's very easy for a malicious active terminal to read data from a card inside a person pocket. Most of banks require PIN for a 10 USD or greater check.
Here, we can use wallets or card holders that do not allow anyone to steal information.
Tap-to-pay with your phone solves that - the phone must be more than simply powered on, but the screen be on, too (some phones need to be unlocked, too).
If I wave my phone at a payment terminal while the screen is black, nothing happens. Tap the power button to wake it up, and it can pay.
never show your phone on the street in latinamerica
NFC tech is so popular in Japan. The Japanese people have NFC enabled cards called Suica/Pasmo that they use to effortlessly enter/exit subway stations and the ticket fare is accordingly charged.
Since it was invented by Japanese!!
There are still a lot of bugs to be worked out with merchants. A few weeks ago I tried using contactless at a Shell gas station. Both using my phone and tapping the physical card failed. I was given an error message saying it was declined. Inserting the card worked as it should have. This is not an isolated incident. I've had failures with other merchants as well, though some (like Five Guys) have finally fixed their systems to work properly.
I suspect having to insert occasionally might be a security feature, to prevent someone from taking out too much from someone else's account.
I contacted Shell, they told me it wasn’t enabled… that was a year ago and it still hasn’t been enabled…
this is astounding to me. we’ve had this in the UK for at least ten years!
It’s been here too. People just don’t bother using it that much.
5:50
A truly beatiful and unique signature.
I remember using tap payments 20 years ago in europe. glad that north america is finally catching up.
Finally, it's gotten to the point where nearly every business I frequent has tap-to-pay. I rarely find myself pulling my card out to swipe for payment. I do nearly everything with Apple Pay.
Kroger finally fell. I think for large retailers its just Home Depot, Lowes and Wal-Mart. Same with Apple Pay, had my wallet stolen a few years back at a GYM. Forced me to adopt Apple Pay so I could lighten my wallet. So much better from both a physical security as well as digital security going that route.
Mark of the beast coming soon
@@brianc9036 yes finally Kroger did and I was at Lowe's yesterday and they had it too! Have not been to Home Depot yet. Apple Pay is the way to go, especially with Apple Card.
Even in Romania it's been here for almost 10 years. It was adopted quite well and fast.
Dude, are you really assuming they know where Romainia is? :)
Thank WSJ to share NFC and RFDI to us and how tap to pay works
Yeah, except tap to pay cards are fundamentally insecure. Someone stole my card with it a couple months ago. All they have to do is use a smart phone to initiate a transaction as they walk by and replay my response at a payment terminal. I asked my bank if I could get a card that doesn't have that feature, and they said no.
Your bank doesn't allow you to manage the various functions of your card?
You can “punch out” the RFID antenna.
@@johnp139 That's a great idea. Thanks!
Did you not watch the video, it won't work like that because the smart phone is not the same device as the payment terminal, so will not cause the card to generate the same unique code, so when the unique code is sent to the bank it should cause an invalid transaction (aka no money taken)
Just watched a DEFCON video showing that 99 percent of the tap to pay sensors are vulnerable and then shown to have weaponized it. All though tapping a cellphone to the reader.
The man who did this worked for all of the banks in France.
Almost all of them have ridiculously easy exploits, both buffer and heap.
Granted it is better to tap then swipe. However it's all security theater.
Great video. Hopefully the US adopts tap soon. So weird to travel there and have to dig a card out of your wallet just to have someone at a restaurant walk away with it where they can skim it or do whatever they want in the back.
Only that doesn’t happen.
They already have. My card has it.
What do you mean, you hope? Most merchants in USA accept it. I used Apple Pay almost exclusively on my last visit…
Very surprised to learn this is still fairly new in the U.S. it's been commonplace in Canada for a while. I don't remember exactly how long, but I do remember at the start of the pandemic Walmart was basically the only major retailer that didn't have it yet--pretty much every other store had already had it for years by then. But then again we had widespread bank debit payment since the early 90s, and I don't think that became common in the states until much more recent
Contactless payment is not new in the US and has been around for years. Every major retailer excepts contactless payment except Walmart for whatever stupid reason.
@@jadon-sc1zj Thats wild cus Walmart in Canada has been contactless for years.
I feel like the only reason the US is moving to contactless is exclusively cus of the fact Phones support it. So having a non-contactless store will most definitely lose you business.
One issue I have run into a couple of times in the last year (2022) where the card I chose to use and the reader registered a payment before the card got within 6 inches or so of the reader. I now use a blocking wallet.
Tao to pay is so useful. It’s amazing ❤
The transaction itself might be safer than other methods. I use it every day in a European country where it is really common. However, something I am always a little worried about is loosing my wallet and someone using my card to do purchases. You have to insert the card and provide the PIN every 20 transactions or so and for higher payments. Even though according to banks the numbers of fraud happening this way are allegedly small, I see it as a security risk. I wouldn't mind still providing a code when using the NFC functionality or perhaps having your fingerprint stored locally on the card (there are companies working on this) as an additional security layer.
Some stores here in the US will still ask you for a PIN even if you tapped the card. Grocery stores for example.
In Canada, tap transactions from stolen cards are insured by the bank or credit institution, as long as you report the card within a reasonable amount of time.
even if that does happen it's still incredibly easy to log in to your card account online and dispute fraudulent charges lol
In Australia the machine often asks for a pin for transactions over $100 to help with this.
In New York, for the MTA, there's Tap to Pay, Swipe to Pay, as well as Hop to Ride.
Thats how transit has worked everywhere on earth for at least 10 years
@@austinbrass pretty sure hop to ride is prevalent in the US only
They should provide jumpers to hop over the turnstile for the gravitationally challenged. The system has to be inclusive.
No tokens?😂
Was in NY last week; first time without cash. The tap to pay, very normal in the Netherlands, works great.
The risk has changed, we have went from using our judgement to look at a card reader to see if a scam is taking place to someone can walk past us on the street and hold a reader to our bodies in a sneaky way and charge money to our card or device (unless you buy yourself something to protect the card).
My worry is contactless payment limits, why do banks not allow you to set your own limit, here in the UK its now £100. Someone could come along, brush up against a person in a crowded space and charge £99 to the card and your money is gone, and you dont know about it until you next go to spend money or check your bank account.
I had one of those charge me when I accidently held my wallet too close. Fortunately the shop owner saw two entries (I had paid in cash) and refunded.
This seems to compare these to security of a magnetic strip (which is weaker) but not the chipped card which is also secure. The concept that a charge can occur over the air is uncomfortable.
The biggest problem I have with tap to pay is 90% of places still don’t recognize it. So it’s usually not an option. I wish more places got up to speed with it, it could really make a difference in curbing the number of frauds
I’m from a 3rd world country. We have this tap to pay since 8 years ago and literally every store accepts it. Why is the US so behind?
@@PassionPno Very much like the answer to every question - money. In the US you will notice that newer, smaller companies will have NFC using one of the services like Stripe. The large companies don't want to spend the money needed to upgrade all their terminals. Many still don't have chip/pin. In Europe, you never let your card out of your sight. In the US, every waitperson takes your card, swipes it in their ancient machine, and then brings you back a ticket to sign - after adding the tip of course. When I visit the US I always ask if they can take apple pay in the restaurant, and a surprisingly small percentage can do that. However, every tiny food truck takes NFC with Stripe or one of their competitors.
Majority of places accept it now and you can looks on Apple Maps or Google Maps and tells you in the info card
@@PassionPnoIt’s quicker and cheaper to adopt brand new tech instead of upgrading from existing ones.
It's actually the opposite, 90% of the places I visit here in the US let me tap. The rest at least can read the chip.
Great info! Thanks!
Very insightful information.
it's crazy to see that tap to pay is not that popular on the US, I'm from Colombia and basically every business that accept credit or debit has tap to pay capable systems so we use it very often
Here's my issue with Tap to pay:
Let's say I keep my card in my wallet or a clip in my back pocket (or even the front pocket of my jeans for that matter). What stops someone, with access to an active NFC reader, from coming just close enough to where my card is kept and complete a transaction?
That's why I prefer cards with chips even though the transaction might take a measly second longer
Who will issue you a card that doesn't have NFC in 2024?
@@halfsourlizard9319 you can deactivate the NFC
We have been using it for years in South Africa! In face we have moved in from that since COVID.
Everytime i visited the US in the past, it felt like stepping back in time from a payment systems perspective.
Unfortunately it's not possible to require pin every time so if someone steals your card or phone you're in trouble.
Tap to pay has been available in Australia for a very long time, too. In Sydney all of our public transport has been tap to pay for many years. 10 years ago in Europe it was disappointing to see how few merchants had tap to pay available (just like the US when we visited 5 years ago). We recently returned to Europe and it's great to see how widely it has been adopted now - even down to small town market merchants in France having contactless payment options. Unfortunately still don't see it much on public transport (other than in London).
well i got new for you: this March the whole of Netherlands got contactless fares enabled on all and for all forms of public transit, at 100% of public transit in 100% of the Netherlands you can now tap to pay with any Maestro, V-Pay, Visa Debit, Visa Credit, Mastercard Debit or Mastercard creditcard, this includes from e-Wallets such as iPhones, watches, android etc. (sadly no support yet for Apple Expres Transit, though we're being told that is coming, as is nationwide support for AMEX cards, apparently...)
Contactless in the UK is all over, especially in public transport. It was hard-pushed during the pandemic and pretty much every business has it now
wait until they charge your card in the street.
@@tube.brasil NFC has an extremely short range so that would be really hard to do. Plus if you use your phone instead it needs to be unlocked to work.
A friend of mine from Aus came to visit me here in America a few months back. She was always so amused that I brought my wallet with me everywhere we went, because "in Aus, we just take our phones and use Apple Pay for everything."
Thankyou for the video
I remember going to college in the US in 2017 and being surprised I couldn't use contactless anywhere, while I'd been using it in France since the early 2010s.
The big security problem with this contactless tap thing is that anybody can use your card! If you drop or lose your card, somebody else can pick it up and use it until you've managed to report it stolen. That could be quite a while, if you don't immediately notice that your card is gone.
That's something that still gives me questions about this method
How vulnerable are the tap to pay cards to being read by others while in your purse or wallet?
Very. I was a victim of that kind of fraud this month in Spain.
Extremely vulnerable. The flipper zero can get CC number and then they can pressure you to giving them bitcoin by telling you they know your CC number (true) and CVC (lie)
I use a wallet that blocks signals. Whilst in the wallet the cards cannot be read.
Tap-to-pay with your phone solves that - the phone must be more than simply powered on, but the screen be on, too (some phones need to be unlocked, too).
If I wave my phone at a payment terminal while the screen is black, nothing happens. Tap the power button to wake it up, and it can pay.
I have finished the job watching, commenting, liking and subscribing
I did some cashiering at a drug store when I was in college in the mid 1980s. I remember how people waiting in that line used to groan when a customer pulled out the credit card -- we had those old machines with carbon copies that we ran a card through, had to use the intercom to ask a manager come for a credit card approval, and they would actually call to make sure the card was valid and good for charges. Now people grumble when someone is NOT quickly swiping or tapping a credit card which is almost instant now, compared to people writing checks (yes, some people still do) or fumbling through their wallets for exact change.
My, how times have changed.
3:39 base from this design flow chart, it was secure and efficient only for the side of the corporation. not in the side of the user.
anyone can buy Flipper zero in a black market (if it's banned in your country). and can read and imitate your NFC powered card.
and there is a very simple fix to that. super simple that I don't know why these company didn't implement it.
that is to put a simple mechanical slider switch to disconnect those very tiny wires inside your card. in which you only slides in when you are about to do a transaction. and slides it back when you are done. ensuring that no unauthorize card reader can read your card without you knowing it while walking somewhere crowded.
but instead they just let their product unsecured and put those burden to the people to buy a protective sleeves for their card.
You can’t just clone this card and make payments using a flipper zero or similar devices.
1. Someone needs to be in very close proximity to capture this data via the nfc tag. Get an rfid blocking wallet or sleeve and you’ll eliminate 99% of the opportunities someone has to capture this info.
2. Even if someone is able to capture the card info from the nfc tag, they most likely won’t be able to do much with it as the only info transmitted is the account number, expiration, and OTP. So if they attempt an online purchase they will be missing the cvv and zip code. They can try to guess, but after a few failed attempts the account will more than likely be frozen for suspicious activity, so that then eliminates 99% of CNP (card not present) transactions. These tags also use a form of one-time code, so they wouldn’t be able to emulate your card for a transaction as the code they captured would no longer valid. So that eliminates most CP (card present) transactions.
Additionally, I would do more research into the flipper zero and similar devices (RTL-SDR). These have been around for decades and there is nothing new about the technology. The PCI-DSS compliance standards have included security measures for these types of attacks for many years. You should be more concerned with handing your card to the cashier at a drive thru or a server at a restaurant than you should be about tap-to-pay payments.
So the answer to question as to why no company offers a physical cut off is because there’s no point. It wouldn’t help with fraud and even if it did, it would be so marginal that it wouldn’t be worth the investment. These antenna lines are very small, so this cut off would need to be designed with a high level of precision, and would probably break with regular use/wear and tear.
Since this is the internet and everyone wants a source, mine is my PCI CPSA-P & CPSA-L certifications:)
That's all great unless someone steals your card. A safer approach would be to require a PIN in addition to the tap. Still convenient, but much better protection.
people will become more responsible after somebody steals their credit card. A benefit to humanity :D
In my country you only can pay up to 50€ and three transactions after that it asks for the pin
Are you could just use a Apple wallet or Samsung wallet from your smart phone via NFC build in chip. Why do we still use physical cards any more when your smart phone is 100% secure.
NEVER use a PIN.
i use NFC on phone requiring finger print to confirm payment....if I do use a card (99% of my transaction are with phone) I use a CC (same with phone).....in fact ALL my transactions are with tap pay/phone pay credit card.....i pay off every month, rack up points. any unauthorized transactions are protected by my credit card user agreement (chase)....
NEVER use debit cards
I have forgotten my PIN. I never use debit cards, in fact they are in my safe 👍🏻
@@terrydean3802 mines are all in my digital wallet on my iPhone. I don’t even remember what a 20 dollar bill look like 😂
Great...🔥🔥🔥
It's amazing how the U.S. is so behind the world with payment methods. I don't recall the last time I had to swipe a card, but it's been years. Not only can we tap credit & debit cards, we can also use our phones. The phone also creates it's own receipt. Also, we can tap a transit pass. I have my account configured for me, that is senior's fare. When I want to hop on a bus or commuter train, I just tap my card. I can add funds to my card on line, with their web site, or with a phone app. The card is valid on several transit systems and the fares are integrated, so that the cost over multiple systems is cheaper than the total of the individual fares.
Let's be honest. Large retail businesses do not want to activate Pay-To-Pay payments because they will miss out on data that can get since there is a randomized token. They won't be able to see what/where you are buying from. I am looking at HEB, Kroger, Home Depot. The devices in the store already have the NCF hardware in there, but they chose to deactivate it. Kroger was for the longest time forcing customers to use their version of tap to pay, but people did not want to use it because it did not work.
They will claim that it will too expensive to activate and accept Tap-To-Pay, but that is simply not true. They won't be able to grab your data since there is a randomized token.
Or maybe it's just because the United States is still stuck in the 80's when it comes to payment.
I don’t think what you say is correct. While a randomized token is generated and transmitted, as the video mentions, the fixed/static card information is sent as well as part of the transaction (in cleartext). Importantly however, the video fails to mention that the card’s 3 or 4 digit CVV code is *not* transmitted wirelessly and as such the fixed card information by itself (which theoretically could be skimmed by a rouge NFC reader) is mostly useless were it attempted to be used in card not present (CNP) transactions.
@@MaxPower-11 You can tell in this comments section who works in fields related to card processing. :)
Ummm they are already getting that information whenever you enter your loyalty/club card number at the beginning of the transaction. They use the data collected every time you make a purchase and enter your loyalty card number to aggregate your purchase data and tailor offers to you based on your buying history.
Extremely interesting video. As a frequent traveller who works in the tech industry and travelling back and forth to Silicon Valley for years, I've always wondered why the US was such a slow adopter of this tech.
The first real contactless payment systems were common in Japan, South Korea and later places like Hong Kong. But the first contactless banking cards were offered in the US in 2004. But they really didn't take off.
An example: ua-cam.com/video/u2gMaSk2tsQ/v-deo.html
What happened to slow the adoption down? Glad this video finally answered the question.
I suppose the opposite occurred in Australia. After introducing the cards in 2006, adoption was swift, being to date the fastest adopter of the tech with among the highest usage rates among consumers. Part of that was a very flexible fintech sector where retailers could extremely quickly take up new machines. With tap and pay terminals being ubiquitous only a couple of years after introduction, a lot of people switched.
But Australia is also a country that has been quick to introduce anything convenient in fintech.
Cheques for example fell out of fashion in the 80's and 90's. With internet banking becoming more common from around 1997, rent would be a simple and free personal bank to business transaction; never a cheque, never in person.
Transfers between banks, between people, between business is all integrated into a seamless payment system which also meant there has never been the need for 3rd party solutions, with Australians doing such transfers well before the likes of PayPay and Venmo.
I am sure Europeans and British would have similar sentiments. The UK for example, was very quick to abolish signatures being a rapid adopter of chip and PIN as a way to reduce credit card theft and fraudulent use. Australia followed suit, banning the practice as well.
financial crimes is too easy
SIngapore will also now start charging a fee for cheques from 2025, probably to discourage their use
We’ve been using tap for years in Canada. I remember using it up here, driving across the border to Niagara Falls and I had to use the swipe in stores there. Found it strange that we were more advanced in technology than the states were.
Looking forward to the next video on how the internal combustion engine works....
Been seeing stories of tap cards being accessed while in peoples pockets and purses. One woman had 3 cards accessed in her purse, 2 ft away, for the same purchase 😮
It happened to me a couple months ago!
Happened to me in Spain this month.
I've used a wallet/card holder that blocks signals for years. Whilst in the wallet, they cannot be read.
Yep. I was at a terminal ordering a pizza. The clerk handed me my pizza and said have a great day. After I told her I needed to pay, she informed me that I already had. The terminal charged the card that was in my wallet with the tap to pay feature, not the one in my hand that I wanted to use. The one in my hand didn’t have tap to pay. Every since then, I only shop at stores with Apple Pay because I have more control over charges with biometric security.
@@CS-qc7np seems like they need to add a pin function to these cards
Of course, we've coupled contactless with a "no verification" policy (such as a PIN or getting signature verification from a vendor, which granted has all but disappeared anyway.) So as any good hacker knows, there's no need to intercept all that encrypted data when all you really need is to get a hold of the card. If you have the card, you tap, purchase the items with someone else's card, "burn" the card, and sell the items elsewhere.
In other words, don't drop your card. You may as well have dropped cash.
Except that you don't actually lose anything, it takes 2 minutes to ring up your card provider to report the card / have it deactivated, and they'll just overnight you a replacement.
@@halfsourlizard9319 Which is great from the moment you realize your card is missing. But if that takes hours, it only takes minutes to do some damage.
Also, I have NEVER had them actually overnight me a card. Anytime I have needed a prompt replacement, it has taken 7 - 10 days.
I’m so happy that we’ve finally incorporated this technology, so much more convenient. COVID really pushed the era of digitisation for our society
Great explanation
I want to better understand how this technology relates to the fraudulent skimming of data from credit cards. Thank you for explaining how touchless technology works.
The killer app for contactless for me was that you didn't have to put in your pin, as opposed to using the chip
that's what makes it unsafe.
@@tube.brasilin Europa after paying a sum of max 50€ the pin must be entered.
@@tube.brasil You are not responsible for fraudulent transactions.
@@johnp139 You are not responsible for fraudulent transactions AFTER the loss/theft is reported. And while you are not paying directly for fraudulent transactions, you are helping to pay for the sum of all. This is the state of things in Europe.
Did not know that! Very interesting
Such a great human invention
Australia had this widely adopted easily at least 10+ years.
I’ve had American customers (I own a business near a large university, with few American academics around) puzzled that my business do not accept cards with signatures.
We can't do that anymore correct. I remember reading somewhere that signatures for payments are now depreciated.
In Thailand we just use our phone.
The street cart vendors etc display QR codes which is their bank account number.
We scan the QR code into our bank apps on our phone.
Our phone app asks to confirm that we want to transfer money to that account.
When we confirm, money is transferred from our bank account to their bank account immediately and a confirmation is received.
No cards. No card readers.
No Visa, Mastercard etc
Just a phone. 👍
This method is much safer!*
*please purchase a RFID blocking wallet to ensure safety 😊
Makes card cloning easier 🎉
Incredible! Wow.
While the whole world is still using card, taptopay and wallets. India's revolutionized the payments shstem by UPI. Literally paying in my country is so easy af.
When you don't have basic things at first implementing new thing will be easy, for example china didn't had to lay thousands km of cable wire for internet they directly used fiber.
UPI uses SMS for authentication, it's the weakest form, one disaster away from happening. UPI still need to find a way to charge for transaction, gov can't support it for infinitely, people may go back when it happens.
But UPI biggest flaw is using SMS OTPs and having the need to be always connected. I could tap my card or use Samsung Pay on my phone without internet connection at all. Whereas it's not possible to complete a UPI transaction without internet or a mobile.
I have been entering my PIN manually for the longest time until I found out recently it has the tap option and have been using it. But, I am still skeptical that tapping is more secure than swiping... 🤔
The banks are now seeing far lower claims for card misuses than they used to, mostly because there's no longer the opportunity for some miscreant to skim your card - you physically keep hold of it the entire time.
It was introduced in Japan more than 10 years ago as well as in the UK and Australia.
Few people take credit cards out of their wallets
Appreciate the layman's explanation of this tech
This has been around for way over a decade. I love how Americans think they rule the world yet they still have to sign a piece of paper to make payments like they're stuck in the 80's
I'm from Mexico and the implementation of technology in our country usually depends of USA's pace.
Contactless paying has recently been introduced here and one issue we have with this is that most terminals don't ask for a PIN/ ask for a PIN after a really big amount of money. Imagine your wallet is stolen (very common) and you suddenly lose 20% of your monthly income. If banks minimize this limit, then the experience would be perfect.
In India, we can enable/disable contactless payments if and whenever we want to. We also have the option to set its limit.
One thing I've noticed is periodically tap is not accepted and I have to insert my card. I suspect this is a security method to keep someone with a stolen card from taking too much.
financial crimes
Theft is covered by insurance, you will be refunded if you lodged a complaint.
Mark of the beast coming soon
whenever I forget my wallet I'm glad to know I can always pay for things with my phone
HK have been using tap and go prepaid card since the 80s. Use originally to pay for trains and buses. But now almost all merchant takes Octopus cards. You can load up the card with cash and so your travel, restaurants etc are anonymous.
I love this technology ❤
If it’s safer than why are there all these local news stories of people being forced to use tap to withdraw $ from ATMs (the swipe was purposely broken on the machine) and then scammers are able to withdraw all their $ from their bank accounts when they leave?
It’s due to STUPID PEOPLE NOT LOGGING OUT!!!!!
It felt so natural going to Europe from Canada. I feel even more foreign in the US.
The history is, when TFL (Transport for London) was developing their ticketing system to be contactless, they pioneered the technology of contactless Oyster (travel) cards. As 1/6th of the UK’s population lived in London, that put extreme pressure on banks to develop their own contactless, and that (convenience of tapping your bank card and not needing a ticket/top up an Oyster), meant the public wanted the same convenience in retail.
I still do not understand why Wal-Mart doesn't have apple pay/tap to pay. Even smaller businesses have access to the tech with companies like square yet a retail powerhouse doesn't have it. 🤨
They want you to use Walmart Pay
They have their own loyalty app or card and want you to use that. BTW, Walmart in Canada uses regular tap-and-pay.
I remember at one point that the US Walmart was one of the first places I could do chip and PIN at. But for the longest time, even in Canada, they didn't have tap-to-pay. Maybe it's a question of rollout - they didn't want to introduce tap-to-pay until they had enough machines to blanket a geographic area?
Wallymarts in Canada accept tap.
However NFC paired with UPI ( free money transfer of India) could be a game changer
It's not free, gov paying for it.
Tap and card insert connect to the same chip so have access to the same information. If a reader can be hacked for reading the chip it can be hacked for RFID. Commercial RFID readers may only have a few centimeter range but they can be made to work over longer distances like any other transmitter. So someone can stand near you and read your card. Fairly tough for someone to stand near you and insert your card into a reader.
good method
My issue with tap to pay is that all the readers have the tap spot in different places. If you save 1 second, but you spend an extra 5 tapping the wrong place, it’s better to just insert. If they could standardize the tap location (or, frankly, if I could remember to look every time before I tap), I’d use it more often.
It's standard, the antenna 90% is under the "wifi icon" no matter it's printed on the pos or on the screen. For iPhone, the antenna is under the Apple icon in the back. So try align these two.
Exactly!!!
5 taps would not result in 5 payments. The first one is the only one that works.
@@James_Knott maybe, but my comment didn’t say or imply multiple (successful) taps.
Tap to pay was shown when first introduced in 90s to be a HUGE SECURITY flaw. as all one needs to do is walk through a crowed group (club, dance hall or crowd) with a powerful rfid reader. The rfid card data can be stolen easily without the owner even knowing. Those cards were withdrawn from market because they were an obvious security risk. Well, now in modern times when sanity has been replaced by insanity - this is seen as a 'great option'. All we collectively do with more and more time, is sink in intelligence.
Congrats on catching up USA
Modern technology is so amazing 😊
most (if not all) of these technologies are American invention / innovation. but there are a few reasons why they may not be wide spread in the US, including inertia, preferences or even regulations. it is easier and cheaper to adopt a new technology if you hadn't spent as much building up complex and expensive infrastructure for the previous version.
Japan has had them since the late 90s.
exactly
PIN numbers - Scottish invention
Contactless cards - French/Austrian invention
Smart cards (precursor to contactless payment cards) - South Korean invention
@@PLuMUK54 Charles Walton was born in the UK but grew up in NYC and was in the army. He died back in 2011 in California.
Many were responsible for RFID, but Walton is considered the largest contributor.
South Korea was the first to make contactless payments, but the idea for FOB-like devices have been in use for years. Japan used it aswell in the 90s.
Im not sure why yall act like RFID was some insane feat of engineering either.
The soviets litterally bugged the US embassy with an RFID device back in the 60s I think.
It's one step closer to the dystopian future of "In Time."
This is great technology.
In Europe it's mandatory for all businesses to have NFC readers. My card don't even have a visible chip
convenient but increases theft risk
just get an rfid blocking wallet or use multiple cards stacked on top of each other that avoids the reader being able to read that data. on a phone the nfc usually isnt even active when it isnt unlocked.
I haven’t used cash in years and will never go back.Just tap and go with my phone.
Good video, but I feel it does not completely resolve my concerns about Tap-to-Pay. 1. Wallets and purses frequently have "RFID blocking" features. Are these needed? Initial fears about Tap-to-Pay described situations where thieves would hold a reader close enough (under a coat or in a bag) to another person's wallet/purse, and activate the payment card, and do a transaction without the card owner's knowledge. Is this possible or feasible? 2. What is to stop a really experienced hardware hacker from building a Tap-to-Pay terminal that has a greater range than 4cm? Yes it would use more power, but if the range was increased, then my first question/concern applies even more.
Here in Brazil, even the street food vendors accept contactless payments, its hard to find a store that doesnt accept nfc, its been common for years…
I’m amazed at how much more integrated tap to pay is in Canada than it is in the US. I can’t remember the last time I had to use my chip, and I don’t think I’ve used the magnetic strip swipe in probably 10 years. Who knew we were living in the future up here?! 🫎 🇨🇦 🍁
But y’all have no guns lol
@@tiki9055 And we couldn’t be happier without them!
@@TheVinster It’s bonkers it took this long to be most places. Maybe it’s because Canada has a banking cartel of five big government-sanctioned national banks, so rolling out features is easier.
@@tiki9055 Superglue a tap to pay chip to the gun....then tap the gun on the card reader......and people may run, and you may get arrested. But hey you still paid.
@@tiki9055 We actually have a lot of guns, most people living outside of the city have one. It's relatively easy to get a license.
Card reader on mobile phones, an easy way to pick pocket people without touching them
in the Driodverse we have this thing called "Biometrics". fixst. 😄
With mobile payments like Google Pay and Apple Pay, the phone has to be unlocked before tapping it to the POS. That would make it impossible for someone who is using their phone as a card reader to tap someone else's phone and charge their card. It's actually more secure than an NFC-enabled credit or debit card.
Even if your phone is stolen, the thief has to unlock your phone to be able to use mobile payments
@@terrydean3802 I think they mean tapping a card reader on someone's wallet