"But Android/Google Pay? It uses generated card numbers that are only good once."
Where on earth does this misconception come from? It's just not true!
28 posts • joined 22 Feb 2018
Nonsense! The £30 limit is there because there's no cardholder verification (PIN) below that point; this is why it can go higher than £30 on mobile. It is perfectly possible (and is the case in many places around the world) to do low-value contact transactions without PIN or other verification.
And if it's a fraudulent transaction, the interchange the issuer gets is by far outweighed by the fees involved in processing chargebacks and refunds.
"More accurately, payments using phone NFC are vastly more secure than cards during the transaction, mainly due to the use of one-time tokens preventing any possibility of cloning or really copying anything relevant at all."
Exactly the same mechanism is used in a card. The difference is that the card number from a plastic card can generally also be used outside the phone (internet, MOTO) whereas that from a phone cannot. But the number itself is the same from transaction to transaction - it's the cryptogram, not the card number, that is tied to an individual transaction.
"Once you've notified your bank that your card is missing any liability for fraudulent use falls on them, so they're very good at dealing with such reports."
And the same with the phone, if you tell your bank it's missing.
Transactions themselves aren't encrypted (between card and reader). But that's not really the point, because each transaction contains a unique cryptogram which can only be generated by the real card for that one transaction. The real benefit of mobile is that the card number cannot, unlike plastic cards, be used for online/MOTO transactions - or put on a mag stripe card to get cash out of an ATM.
"For one, your credit card number & such never leave your phone during a transaction"
That's incorrect. The card number *must* leave the phone, otherwise the retailer has no way to charge your account. But it's a device-specific number, not the 'real' card number (which isn't on your phone at all).
Android Pay itself (or Apple, Samsung, etc.) has no maximum. If you got a £100 maximum then you're either using Barclays's app, or you came across a retailer who has their own upper limit for contactless or your issuer has put a limit on there.
Samsung Pay's only benefit, for me, is that it is present on Gear - unlike, for obvious reasons, Android Pay ;-)
Not even sure what you mean here. Apple and Android Pay don't work with each other in the same way that any iOS app and Android app don't work with each other. The important thing is that they all work on the same contactless terminals, along with cards, in the same way that any video medium would work on the same TV given a standard common interface (which is what EMV contactless has).
So you're fine with a physical card, where the same card number is used everywhere (in person, online, over the phone, mail order, on the mag stripe) but not with the tokenised payments used in mobile, where that card number can be used only in person, on that device, and only after you've unlocked it for use?
When paying at a physical terminal (i.e. contactless) the only entities that know *what* you've bought are the retailer and yourself - and whoever the retailer or yourself decide to tell.
Even your bank doesn't know what you bought - only where you bought it from (including the type of retailer it is) and how much it cost.
There is nothing of interest in the transaction data from the terminal to the card (or mobile) other than the amount and date of the transaction. So it's not possible for the card/mobile to know *what* you bought or who you bought it from.
Now - a mobile may infer the retailer based on your location, but it's unlikely. The *Pays will receive information from the card network (not the mobile) in order to provide you with notifications, which is where the retailer name & location in the wallet's transaction history comes from. So they will be building up a picture of where you shop - but not what you buy.
On the web/app, it's another matter. Retailers may directly integrate with *Pays and therefore more data may be directly available from the retailer.
“Samsung Pay, which uses technology developed by its LoopPlay, has a feature neither of its main rivals can boast, as it can act as a passive magnetic reader. This means it can act as an Oyster card without being woken up”
LoopPay, not LoopPlay.
MST *sends* data to a mag stripe reader. Rather than being a passive reader, it's the complete opposite.
Oyster does not use mag stripe at all - it's Mifare/DESFire-based. In fact, none of the *Pays can emulate Oyster.
MST requires the phone to be woken, and Samsung Pay activated, since it's then actively broadcasting card data to whoever's listening.
Biting the hand that feeds IT © 1998–2019