undefined | Better HN

0 pointslxgr1y ago0 comments

> Using a phone to pay for stuff is an opsec nightmare

Do you mean "privacy nightmare"? Security-wise, Google Pay beats using your physical card since it uses a device-specific number that can't be skimmed by terminals and reused online.

> the custom rom is still far more valuable from a security perspective than bending the knee to some bespoke ecosystem payment app (especially if you have an older device.)

I'd argue that it only makes sense if you have an older device that's otherwise not receiving any more security updates.

0 comments

kaszanka1y ago

AFAIK it only beats magnetic stripe cards, not EMV chip cards

lxgrOP1y ago

EMV chip cards still contain your card number and expiry date.

Skimmers would need a way to also learn the CVC2 from the back of the card to use it at most (but not all!) online merchants, but that's feasible using a small camera or a waiter/cashier accomplice doing the skimming.

With Google Pay and Apple Pay, and similar mobile wallets, that number is never shared during payments (and in fact not even stored on the device).

jjmarr1y ago

They do, but you can't get the card number from reading the chip. The protocol is a challenge-response one based on a private key stored within the chip.

https://en.wikipedia.org/wiki/Chip_Authentication_Program

You need to read the entire card number + cvc2 + expiry date with your camera. That's not skimming, that's just taking a photo of the card.

2 more replies

M95D1y ago

Any responsible user will learn the CVC, like any other password, and then erase it from the card.

2 more replies

j / k navigate · click thread line to collapse

0 pointslxgr1y ago0 comments

> Using a phone to pay for stuff is an opsec nightmare

Do you mean "privacy nightmare"? Security-wise, Google Pay beats using your physical card since it uses a device-specific number that can't be skimmed by terminals and reused online.

> the custom rom is still far more valuable from a security perspective than bending the knee to some bespoke ecosystem payment app (especially if you have an older device.)

I'd argue that it only makes sense if you have an older device that's otherwise not receiving any more security updates.

0 comments

kaszanka1y ago

AFAIK it only beats magnetic stripe cards, not EMV chip cards

lxgrOP1y ago

EMV chip cards still contain your card number and expiry date.

With Google Pay and Apple Pay, and similar mobile wallets, that number is never shared during payments (and in fact not even stored on the device).

jjmarr1y ago

They do, but you can't get the card number from reading the chip. The protocol is a challenge-response one based on a private key stored within the chip.

https://en.wikipedia.org/wiki/Chip_Authentication_Program

You need to read the entire card number + cvc2 + expiry date with your camera. That's not skimming, that's just taking a photo of the card.

2 more replies

M95D1y ago

Any responsible user will learn the CVC, like any other password, and then erase it from the card.

2 more replies

j / k navigate · click thread line to collapse