Why Tap-to-Pay Is Safer Than a Credit Card Swipe | WSJ Tech Behind

Given how the US is seen as a leader in tech, its surprising how they lag behind in things like payment technologies. They were behind to adopt chip and pin, now theyre again slow to adopt contactless. Here in the UK Ive been paying using contactless (with my phone) for years.

Tap to pay has been so widespread in Canada for almost 10 years now. It always surprises me to go down south and having to insert my card or still sign my name. I can’t remember the last time I did the that in Canada

Australia was an early adopter of tap and pay as well as payment via phones and watches. I think the key was that the machines are not owned by the businesses instead they are provided as part of the package with the vendors bank. This means that the banks could push the technology out and our lifestyle of carrying minimal amounts of things when out on the weekend etc made it appealing

One correction on the video: The NFC chip that stores your card's data is actually not visible. It's hidden inside your card just like the NFC antenna. The visible chip highlighted in this video is specifically for transactions where your card needs to be inserted in the reader.

I did some cashiering at a drug store when I was in college in the mid 1980s. I remember how people waiting in that line used to groan when a customer pulled out the credit card -- we had those old machines with carbon copies that we ran a card through, had to use the intercom to ask a manager come for a credit card approval, and they would actually call to make sure the card was valid and good for charges. Now people grumble when someone is NOT quickly swiping or tapping a credit card which is almost instant now, compared to people writing checks (yes, some people still do) or fumbling through their wallets for exact change. My, how times have changed.

What people don't get about magstripe is that all your data is recorded on the stripe (like music on a cassette tape) and easy to read. To clone a credit card's magstripe, you just have to read the stripe and write it to another card. You get a perfect copy. But with chip and pin (and tap and pay - although the mechanism is a bit different) on the chip, there's a section of memory called "write-only memory" where a cryptographic key (half of a pair) is stored. It's called "write only" because you can write to it, but only the processor inside the chip can read it and even then, not directly. There's no reasonable way for a cloner to get the data back out short of decapping the chip (removing the top of it, also known as delidding) and using microprobes to trace the circuits while making a request. The write only memory is attached to a dedicated crypto processor which cannot be asked for the key, rather you give it data and it either encrypts or decrypts using the key in write only memory and then returns the result. Because of how PKI (the system for the keys) work, there are two half keys - A and B and because of the maths involved, if you encrypt a message with A, ONLY B can decode it and if you encode it with B, ONLY A can decode it. If you have either A or B, it's extremely difficult to figure out the other key (it would take hundreds of years minimum even with the most powerful computer, although quantum computers may change that). Your card has one of the two keys assigned to the card (A) - the bank has the other (B) - so when you tap, the terminal picks a random number, asks your card to encrypt it with A, then sends that encrypted message to the bank which then decrypts the message using your B key. It then re-encrypts the message using your B key and sends that back. Remember, if you encrypt with A ONLY B can decrypt, and if you encrypt with B, ONLY A can decrypt. So if the card is valid, the card encrypts it with A which the bank can decrypt with your B. It never looks at the content - it just re-encrypts it with the B key and sends that back. ONLY your A key - the one on the card can decrypt it. And that results in the original random number that was sent. If they match, it's valid. There are very few known ways to trick this system. There was a bug in the early version of the system that, if the attacker got the timing just right, could inject a repeat purchase into the pay terminal (it wasn't a bug with the card) that would look like the first purchase and cause two payouts, but the attacker had 45 seconds to complete it, and the bug has since been patched. Most attacks actually copy the magstripe and then make it look like the tap and pay or the chip card has failed to get you to fallback and use the magstripe.

Ever since I was a kid I've heard about how dangerous swiping you card can be. So its amazing that it took well over a decade since hearing this for the U.S. to widely adopt something like tap-to-pay in which it is considerably safer to use your card, especially after hearing the statistics every year on how much money is lost due to fraud/stolen credentials

One more thing In India All NFC Enabled phones can work as Payment Machines for small businesses. If you just have a current account with any bank. No set-up fees or any one-time or monthly fees for the business owners. Just the processing fees.

It always felt so backwards to go from Europe to the US, where people still used swipe & sign instead of chip & pin, let alone contactless. Glad to see that it finally reached the other side of Atlantic :) Now how about paying service workers at least a minimum wage and stop making people pay 20%+ tips for everything? :)

What I like best about tap to pay is how cheap it is to implement for very small businesses. About 90% of the people who have stalls at my local farmer’s market have a Square device.

I’ve never used swipe. Tap to pay has been a thing in Europe for ages, especially in the UK, it’s very rare not to have it, even nearly all tiny businesses have it.

The only issue for tap to pay for me is that there are payment terminals that don’t tell you where to tap specifically. I have to move my card around to figure where to tap on the terminal that don’t have the symbol to pay

Something i think you missed is that the active device is actually providing a small amount of power to the passive device to receive information, since the passive device actually has a micro processor in it that stores the information, and in order for it to be sent it requires power.

The NFC tech is actually really useful… far more than just this kinda stuff.

That short distance is not because of the frequency but power of the signal being generated. Obviously that is by design. RFID works at the same frequency but can go distances of above 10 cm

Finally, it's gotten to the point where nearly every business I frequent has tap-to-pay. I rarely find myself pulling my card out to swipe for payment. I do nearly everything with Apple Pay.

The best explanation on the topic I have seen to date. WSJ knocks it out of the park again 👏

Even in Romania it's been here for almost 10 years. It was adopted quite well and fast.

5:50 A truly beatiful and unique signature.

Great video. Hopefully the US adopts tap soon. So weird to travel there and have to dig a card out of your wallet just to have someone at a restaurant walk away with it where they can skim it or do whatever they want in the back.