Every time we go to a restaurant and when the bill comes, you pull out the card (or the phone), tap... and in two seconds you are free to go back to talking bad about carbonara."revisited”. 🗣️
But how does a contactless payment really work? How does that piece of plastic, or that rectangle of glass and metal, a Move money from your account to that of the operator? 💸
In this article we stay in the world of physical payments in store 🛍️ (so no Amazon online purchases) and we divide the theme into two families:
- payment by physical card (magnetic band, chip, contactless) 💳
- payment with smartphone (Apple Pay / Google Pay) 📱
And yes, in the end I answer the question that you really care about. Is it safer to pay by card or phone?
Pay with card
In 2024 in Italy, for the first time, digital payments exceeded cash, and inside the digital payments the huge slice make it cards. This "explains" why contactless has become normal under certain thresholds... a method designed to make the Faster and more convenient card payment. But how does it actually work? 🤔
We take any card and look at it with curious eyes, and we can see two elements obvious:
- the magnetic strip (black stripe)
- on chip (that metal square)
They two completely different technologies. And one of them is so old, Your grandfather used it already in the 1960 ’ s. 👴Guess which one?
1) Magnetic band: it works... but it is the historical weak point
The magnetic strip, a layer of ferromagnetic particles on a plastic base, was born at a time when the target was: to have data read at the checkout, period. The problem is how he brings those data. 📉
- The information (paper number, deadline, and other technical codes) are stored on the band.
- And most of all... static and in clear. 😳
Static? Yes, given that do not change at each transaction but that always send the same identical information.
But another very important factor is that this information necessary to authorise the transaction travel from card to POS in clear! Yes, clearly, are not encrypted. 🤕
So, if someone He could read that gang, could copy what you need to "reply" the card 🚨 (at least for band-compatible fraudulent scenarios).
Hence the classic world of skimming, Hidden readers in points where you crawl, copied data, and... cloned paper. 🕵🏻♂️ For this reason today the magnetic strip is considered the less secure mode among those "classical" to pay In the shop.
2) Chip EMV: Paper becomes a mini-computer (and stops being clonable "easyly")
For this reason, EMV standard is born (Europay, Mastercard, Visa). The standard uses a chip which serves to protect transactions by generating dynamic data that changes at every payment, making it almost impossible cloning of paper.
Physically, EMV chip is a small microprocessor integrated on paper, very similar to a mini computer. It is not just a "digital magnet" like the band, but contains a microprocessor that execute cryptographic calculations, one non-volatile memory for static card data (number, expiry, digital certificates), one volatile memory for temporary transaction data and a Random Number Generator to create unique cryptograms. 🧮
The chip may be used in two modes:
Mode A: card entered (chip contact)
When insert paper into POS, POS makes electrical contact with chip and start a dialogue (protocol) in which the encrypted transaction data. The bank can verify that that transaction is "authentic", and not the copy of an earlier payment.
Mode B: card supported (contactless)
That's enough. support paper to POS and payment is made. But the question is "Okay, but physically how does the contactless payment work?”
And here comes an interesting topic of physics.
If we look at a internal payment card, as in the picture, we clearly see a thin thread spinning around the paper, called NFC antenna, connected to a metal squareThat's right. chip We were talking about earlier!
But how do you feed this circuit without batteries?
When approach card, the POS generates a variable electromagnetic field it all induces an electric current inside the card which communicates with this chip. In physics, this is called Electromagnetic Induction. ⚡️
The current induced "wake" the chip, which calculates a cryptogram valid once, using cryptographic keys stored internally, and transmit the required data (card number, dynamic transaction cryptogram, etc.) to POS always through magnetic field changes.
Finally, the POS sends it to our bank, that verification everything and authorise payment. All in a few seconds. 💨
The safety pointHere, it's simple... if someone intercepts communication, that dynamic code is designed to be single use.
Pay with your smartphone: pay contactless
When pay with the phoneFrom outside looks identical to contactless with paper... close and go. In fact, communication technology is still NFC.
But what changes from paying with the physical card?
Here too there is a dedicated circuit But here the EMV chip It's called Secure Element!
Every iPhone has a Secure Element dedicated physical, while Android can have it like no, because most use a software emulator (HCE) for store data without having dedicated hardware. But let's go by degrees!
As we can see in this image, there is just one dedicated circuit which is entirely isolated from other components of the phone. Very important because makes it less vulnerable to cyber attacks. 🦾
So, we've seen that the technology and the physical phenomenon used are the same, but the payment procedure is not the same, because? Because in the middle one extra actor intervenes and above all before you pay you have to prove that we are actually ourselves (Face ID / Touch ID / fingerprint / PIN of the phone) before you can select a card and pay!
And this is one huge difference, add a additional level of safety before we even talk about encryption.
There are several payment appsBut let's take the most famous ones by distinguishing them in two cases: Apple Pay and Google Pay.
Payment contactless with Apple Pay
In both cases we can split process in two moments: when Add the card to the app and when We pay.
Add Paper. The first time we record The card, the data come sent to the bank. The bank does not return the actual card number, but generate a replacement code called Device Account Number (DAN), which identify in unique mode on our device. This Code is saved in one telephone protected area, in Secure Element.
Pay. When We want to make a purchase, Unlock the app, choose the card and We approach the phone to the POS. At that time, the POS will be sent on DAN and a cryptographic code generated at the moment, different to each payment, which guarantees that the transaction cannot be falsified or reused. The operator’s bank turns this information to our bank, which checks them and gives the green light. And the end... payment made!
The real card number is never transmittedEven if someone intercepted the data, they wouldn't get anything usable.
Payment contactless with Google Pay
Google Pay works in similar wayBut with some important differences.
Add Paper. When Let's record the card, data do not stay on the phoneBut are sent and stored on a server Google Remote, that returns a token to be used for payments.
Pay. At the time ofpurchase, the app sends POS the token, a cryptographic code generated for that specific transaction and the technical data required by the EMV protocol. Unlike Apple Pay However, the POS does not communicate directly with our bank, passes first by the Google server, which have in memory card data and deal with contacting the bank to complete the payment.
Differences with Apple Pay That's two, and it's no small detail.
The before concerning where the data is stored: Apple does not store anything up external servers, everything remains exclusively on the device. Google instead preserve le information paper on your servers. 📝
The second concerning how the payment is handled on the phone: Apple always use a dedicated hardware chip and isolated, the Secure Element. Google in most cases, emulate via software a contactless card, a technology called Host Card Emulation (HCE), without requiring a dedicated physical chip.
The result is that Google Pay however offers a high level of safety, but thearchitecture is less armored compared to Apple Pay (all in an isolated chip).
One possible explanation that I gave myself is that probably Google decided to take this path because it must provide for the use of the app up different Android devices which, unlike Apple devices, not everyone could have the dedicated hardware component. Apple check directly all its devices! 🤔
So, paper or smartphone? Which is safer (really)?
After seeing all the payment methods, Let's try to make a ranking, starting from less secure. 📉
🥉 Last Place: magnetic strip. By crawling the card, the data travel to the POS in clear, with no encryption. Anyone who can intercept the communication gets everything you need to clone the card.
🥈 Center: chip and contactless. By inserting or backing the card, in both cases we have data encryption, making communication much harder to intercept and exploit. But There is no substantial difference between the two in terms of Safety.
🥇 First place: smartphone. In addition to encryption, payment via app adds a Additional level of protection that other methods do not have...user authentication. Before we can pay, we must unlock the app with Face ID, fingerprint or PIN. Even if someone steals our phone, could not use it to pay.
That being said, if I may small provocation… no technology beats dear old cash. 🎖️
No data to encrypt, no server, no wiretaps. The safest method ever it already exists for centuries, and we have it in pocket.
