I don't think tap to pay can be skimmed in the same way you can with swiping. You'd have to actually clone the data on the NFC chip, which isn't possible through a tap from what I understand.
Interesting! Wasn't aware of that. Is this something that's being actively exploited in the wild though? It won't let me read the actual paper so it's hard for me to tell how practical the attack is.
This risk also applies to any card terminal where you pay contactlessly. In Europe, that effectively means every card terminal everywhere and a comfortable majority of card transactions (https://www.mastercard.com/news/europe/en-uk/newsroom/press-... says 75% of mastercard transactions in Europe are contactless).
No idea how that can translate directly onto phone-based terminals though. On cards, the extra-validation backup for suspicious/over the daily limit transactions is that the contactless machine asks you for your pin, but there's no way anybody should be typing their card pin into a random stranger's iPhone.
There are still attacks, eg. contactless purchase limits can be bypassed by simply telling the terminal "of course I am a CDCVM device, let me use the higher transaction limits":
I suspect that Apple will have full control of the screen, like Apple Pay. Your POS app will call an apple+(stripe/other) api which will show the payment screen and enable the NFC hardware.
There will be no way of an app to display a fake payment screen in front of the real one, or accessing the NFT apis themselves. It's clearly one of the key reasons why Apple have not opened up the NFC hardware for outside developers.
Sure but that's something card networks already deal with via chargebacks. If merchants get caught doing that, they'll have their payment processor, the processors acquirer and Mastercard/Visa all over them like a bad rash.
You can guarantee that the merchants collateral, or any unpaid funds will be taken and used to automatically refund anyone that went near their readers, and if the money can't be claimed from the merchant, then the payment processor or acquirer will be forced to cough up.
All the card networks take this type of fraud very seriously. They understand that they only get to keep their very lucrative positions in this world if people 100% trust card readers to not rip them off, and to get easy compensation if they do. So they come down hard on businesses that threaten that trust.
Exactly, there's nothing really new here except the device being used. Risk to skimming with a phone is no different than a 3G enabled terminal. Ultimately you need a business account and legal agreements with a merchant - so in this case Stripe to start work and accepting payments.
Absolutely agree, it ought to be displayed and then consented to based on that knowledge.
Right now with most contactless in shops in the UK you're left thinking "did they key that amount in right?" and if you're paranoid you ask for a receipt (from the machine, although merchants often drag their feet or try to give you one from the till not the reader!) and/or you check on the phone afterwards (which would be a pain if it showed an issue because by then it's a bit late!)
But thanks to the App Store, there won't be rogue apps that can be downloaded and installed. Not to mention, the developer would have to have operating system entitlements that are only available to paid-up developers in good standing with Apple.
Presumably these apps will be heavily locked down and reviewed by Apple to mitigate this. Could also imagine iOS ux to help here (obviously could still be phished).
I think it only allows contactless payments. No matter if from a card or phone or whatever that is equipped with NFC payments that is compatible with the merchant app.
