Why Tap-to-Pay Is Safer Than a Credit Card Swipe | WSJ Tech Behind

Given how the US is seen as a leader in tech, its surprising how they lag behind in things like payment technologies. They were behind to adopt chip and pin, now theyre again slow to adopt contactless. Here in the UK Ive been paying using contactless (with my phone) for years.

Tap to pay has been so widespread in Canada for almost 10 years now. It always surprises me to go down south and having to insert my card or still sign my name. I can’t remember the last time I did the that in Canada

Australia was an early adopter of tap and pay as well as payment via phones and watches. I think the key was that the machines are not owned by the businesses instead they are provided as part of the package with the vendors bank. This means that the banks could push the technology out and our lifestyle of carrying minimal amounts of things when out on the weekend etc made it appealing

One correction on the video: The NFC chip that stores your card's data is actually not visible. It's hidden inside your card just like the NFC antenna. The visible chip highlighted in this video is specifically for transactions where your card needs to be inserted in the reader.

Ever since I was a kid I've heard about how dangerous swiping you card can be. So its amazing that it took well over a decade since hearing this for the U.S. to widely adopt something like tap-to-pay in which it is considerably safer to use your card, especially after hearing the statistics every year on how much money is lost due to fraud/stolen credentials

One more thing In India All NFC Enabled phones can work as Payment Machines for small businesses. If you just have a current account with any bank. No set-up fees or any one-time or monthly fees for the business owners. Just the processing fees.

It always felt so backwards to go from Europe to the US, where people still used swipe & sign instead of chip & pin, let alone contactless. Glad to see that it finally reached the other side of Atlantic :)
Now how about paying service workers at least a minimum wage and stop making people pay 20%+ tips for everything? :)

What people don't get about magstripe is that all your data is recorded on the stripe (like music on a cassette tape) and easy to read. To clone a credit card's magstripe, you just have to read the stripe and write it to another card. You get a perfect copy.
But with chip and pin (and tap and pay - although the mechanism is a bit different) on the chip, there's a section of memory called "write-only memory" where a cryptographic key (half of a pair) is stored. It's called "write only" because you can write to it, but only the processor inside the chip can read it and even then, not directly. There's no reasonable way for a cloner to get the data back out short of decapping the chip (removing the top of it, also known as delidding) and using microprobes to trace the circuits while making a request.
The write only memory is attached to a dedicated crypto processor which cannot be asked for the key, rather you give it data and it either encrypts or decrypts using the key in write only memory and then returns the result.
Because of how PKI (the system for the keys) work, there are two half keys - A and B and because of the maths involved, if you encrypt a message with A, ONLY B can decode it and if you encode it with B, ONLY A can decode it. If you have either A or B, it's extremely difficult to figure out the other key (it would take hundreds of years minimum even with the most powerful computer, although quantum computers may change that).
Your card has one of the two keys assigned to the card (A) - the bank has the other (B) - so when you tap, the terminal picks a random number, asks your card to encrypt it with A, then sends that encrypted message to the bank which then decrypts the message using your B key. It then re-encrypts the message using your B key and sends that back. Remember, if you encrypt with A ONLY B can decrypt, and if you encrypt with B, ONLY A can decrypt. So if the card is valid, the card encrypts it with A which the bank can decrypt with your B. It never looks at the content - it just re-encrypts it with the B key and sends that back. ONLY your A key - the one on the card can decrypt it. And that results in the original random number that was sent. If they match, it's valid.
There are very few known ways to trick this system. There was a bug in the early version of the system that, if the attacker got the timing just right, could inject a repeat purchase into the pay terminal (it wasn't a bug with the card) that would look like the first purchase and cause two payouts, but the attacker had 45 seconds to complete it, and the bug has since been patched.
Most attacks actually copy the magstripe and then make it look like the tap and pay or the chip card has failed to get you to fallback and use the magstripe.

The NFC tech is actually really useful… far more than just this kinda stuff.

Something i think you missed is that the active device is actually providing a small amount of power to the passive device to receive information, since the passive device actually has a micro processor in it that stores the information, and in order for it to be sent it requires power.

I’ve never used swipe. Tap to pay has been a thing in Europe for ages, especially in the UK, it’s very rare not to have it, even nearly all tiny businesses have it.

The only issue for tap to pay for me is that there are payment terminals that don’t tell you where to tap specifically. I have to move my card around to figure where to tap on the terminal that don’t have the symbol to pay

What I like best about tap to pay is how cheap it is to implement for very small businesses. About 90% of the people who have stalls at my local farmer’s market have a Square device.

That short distance is not because of the frequency but power of the signal being generated. Obviously that is by design. RFID works at the same frequency but can go distances of above 10 cm

THE WAY I WENT TO CHECK THE DATE THIS VIDEO WAS UPLOADED!! 😲
*giggles in UK*

The best explanation on the topic I have seen to date. WSJ knocks it out of the park again 👏

NFC tech is so popular in Japan. The Japanese people have NFC enabled cards called Suica/Pasmo that they use to effortlessly enter/exit subway stations and the ticket fare is accordingly charged.

5:50
A truly beatiful and unique signature.

Finally, it's gotten to the point where nearly every business I frequent has tap-to-pay. I rarely find myself pulling my card out to swipe for payment. I do nearly everything with Apple Pay.

it's crazy to see that tap to pay is not that popular on the US, I'm from Colombia and basically every business that accept credit or debit has tap to pay capable systems so we use it very often

One issue I have run into a couple of times in the last year (2022) where the card I chose to use and the reader registered a payment before the card got within 6 inches or so of the reader. I now use a blocking wallet.

I remember using tap payments 20 years ago in europe. glad that north america is finally catching up.

this is astounding to me. we’ve had this in the UK for at least ten years!

Great video. Hopefully the US adopts tap soon. So weird to travel there and have to dig a card out of your wallet just to have someone at a restaurant walk away with it where they can skim it or do whatever they want in the back.

Thank WSJ to share NFC and RFDI to us and how tap to pay works

Here in Latinamerica tap-to-pay is a big security breach. It's very easy for a malicious active terminal to read data from a card inside a person pocket. Most of banks require PIN for a 10 USD or greater check.

There are still a lot of bugs to be worked out with merchants. A few weeks ago I tried using contactless at a Shell gas station. Both using my phone and tapping the physical card failed. I was given an error message saying it was declined. Inserting the card worked as it should have. This is not an isolated incident. I've had failures with other merchants as well, though some (like Five Guys) have finally fixed their systems to work properly.

Very surprised to learn this is still fairly new in the U.S. it's been commonplace in Canada for a while. I don't remember exactly how long, but I do remember at the start of the pandemic Walmart was basically the only major retailer that didn't have it yet--pretty much every other store had already had it for years by then. But then again we had widespread bank debit payment since the early 90s, and I don't think that became common in the states until much more recent

Everytime i visited the US in the past, it felt like stepping back in time from a payment systems perspective.

Even in Romania it's been here for almost 10 years. It was adopted quite well and fast.

The transaction itself might be safer than other methods. I use it every day in a European country where it is really common. However, something I am always a little worried about is loosing my wallet and someone using my card to do purchases. You have to insert the card and provide the PIN every 20 transactions or so and for higher payments. Even though according to banks the numbers of fraud happening this way are allegedly small, I see it as a security risk. I wouldn't mind still providing a code when using the NFC functionality or perhaps having your fingerprint stored locally on the card (there are companies working on this) as an additional security layer.

In New York, for the MTA, there's Tap to Pay, Swipe to Pay, as well as Hop to Ride.

I did some cashiering at a drug store when I was in college in the mid 1980s. I remember how people waiting in that line used to groan when a customer pulled out the credit card -- we had those old machines with carbon copies that we ran a card through, had to use the intercom to ask a manager come for a credit card approval, and they would actually call to make sure the card was valid and good for charges. Now people grumble when someone is NOT quickly swiping or tapping a credit card which is almost instant now, compared to people writing checks (yes, some people still do) or fumbling through their wallets for exact change.
My, how times have changed.

Here's my issue with Tap to pay:
Let's say I keep my card in my wallet or a clip in my back pocket (or even the front pocket of my jeans for that matter). What stops someone, with access to an active NFC reader, from coming just close enough to where my card is kept and complete a transaction?
That's why I prefer cards with chips even though the transaction might take a measly second longer

I had one of those charge me when I accidently held my wallet too close. Fortunately the shop owner saw two entries (I had paid in cash) and refunded.
This seems to compare these to security of a magnetic strip (which is weaker) but not the chipped card which is also secure. The concept that a charge can occur over the air is uncomfortable.

Tao to pay is so useful. It’s amazing ❤

I remember going to college in the US in 2017 and being surprised I couldn't use contactless anywhere, while I'd been using it in France since the early 2010s.

Looking forward to the next video on how the internal combustion engine works....

3:39 base from this design flow chart, it was secure and efficient only for the side of the corporation. not in the side of the user.
anyone can buy Flipper zero in a black market (if it's banned in your country). and can read and imitate your NFC powered card.
and there is a very simple fix to that. super simple that I don't know why these company didn't implement it.
that is to put a simple mechanical slider switch to disconnect those very tiny wires inside your card. in which you only slides in when you are about to do a transaction. and slides it back when you are done. ensuring that no unauthorize card reader can read your card without you knowing it while walking somewhere crowded.
but instead they just let their product unsecured and put those burden to the people to buy a protective sleeves for their card.

Extremely interesting video. As a frequent traveller who works in the tech industry and travelling back and forth to Silicon Valley for years, I've always wondered why the US was such a slow adopter of this tech.
The first real contactless payment systems were common in Japan, South Korea and later places like Hong Kong. But the first contactless banking cards were offered in the US in 2004. But they really didn't take off.
An example: th-cam.com/video/u2gMaSk2tsQ/w-d-xo.html
What happened to slow the adoption down? Glad this video finally answered the question.
I suppose the opposite occurred in Australia. After introducing the cards in 2006, adoption was swift, being to date the fastest adopter of the tech with among the highest usage rates among consumers. Part of that was a very flexible fintech sector where retailers could extremely quickly take up new machines. With tap and pay terminals being ubiquitous only a couple of years after introduction, a lot of people switched.
But Australia is also a country that has been quick to introduce anything convenient in fintech.
Cheques for example fell out of fashion in the 80's and 90's. With internet banking becoming more common from around 1997, rent would be a simple and free personal bank to business transaction; never a cheque, never in person.
Transfers between banks, between people, between business is all integrated into a seamless payment system which also meant there has never been the need for 3rd party solutions, with Australians doing such transfers well before the likes of PayPay and Venmo.
I am sure Europeans and British would have similar sentiments. The UK for example, was very quick to abolish signatures being a rapid adopter of chip and PIN as a way to reduce credit card theft and fraudulent use. Australia followed suit, banning the practice as well.

Was in NY last week; first time without cash. The tap to pay, very normal in the Netherlands, works great.

Yeah, except tap to pay cards are fundamentally insecure. Someone stole my card with it a couple months ago. All they have to do is use a smart phone to initiate a transaction as they walk by and replay my response at a payment terminal. I asked my bank if I could get a card that doesn't have that feature, and they said no.

Unfortunately it's not possible to require pin every time so if someone steals your card or phone you're in trouble.

Tap to pay has been available in Australia for a very long time, too. In Sydney all of our public transport has been tap to pay for many years. 10 years ago in Europe it was disappointing to see how few merchants had tap to pay available (just like the US when we visited 5 years ago). We recently returned to Europe and it's great to see how widely it has been adopted now - even down to small town market merchants in France having contactless payment options. Unfortunately still don't see it much on public transport (other than in London).

It was introduced in Japan more than 10 years ago as well as in the UK and Australia.
Few people take credit cards out of their wallets

We have been using it for years in South Africa! In face we have moved in from that since COVID.

The biggest problem I have with tap to pay is 90% of places still don’t recognize it. So it’s usually not an option. I wish more places got up to speed with it, it could really make a difference in curbing the number of frauds

I have been entering my PIN manually for the longest time until I found out recently it has the tap option and have been using it. But, I am still skeptical that tapping is more secure than swiping... 🤔

HK have been using tap and go prepaid card since the 80s. Use originally to pay for trains and buses. But now almost all merchant takes Octopus cards. You can load up the card with cash and so your travel, restaurants etc are anonymous.

Thankyou for the video

Let's be honest. Large retail businesses do not want to activate Pay-To-Pay payments because they will miss out on data that can get since there is a randomized token. They won't be able to see what/where you are buying from. I am looking at HEB, Kroger, Home Depot. The devices in the store already have the NCF hardware in there, but they chose to deactivate it. Kroger was for the longest time forcing customers to use their version of tap to pay, but people did not want to use it because it did not work.
They will claim that it will too expensive to activate and accept Tap-To-Pay, but that is simply not true. They won't be able to grab your data since there is a randomized token.

How vulnerable are the tap to pay cards to being read by others while in your purse or wallet?

Great info! Thanks!

Appreciate the layman's explanation of this tech

Of course, we've coupled contactless with a "no verification" policy (such as a PIN or getting signature verification from a vendor, which granted has all but disappeared anyway.) So as any good hacker knows, there's no need to intercept all that encrypted data when all you really need is to get a hold of the card. If you have the card, you tap, purchase the items with someone else's card, "burn" the card, and sell the items elsewhere.
In other words, don't drop your card. You may as well have dropped cash.

Been seeing stories of tap cards being accessed while in peoples pockets and purses. One woman had 3 cards accessed in her purse, 2 ft away, for the same purchase 😮

Just watched a DEFCON video showing that 99 percent of the tap to pay sensors are vulnerable and then shown to have weaponized it. All though tapping a cellphone to the reader.
The man who did this worked for all of the banks in France.
Almost all of them have ridiculously easy exploits, both buffer and heap.
Granted it is better to tap then swipe. However it's all security theater.

Very insightful information.

Yeah that rectangular silver pad you can see on the card is just contacts. Think like those are the pins you see when you look inside the end of a USB connector. The chip is INSIDE the card, along with the antenna wires. Also, the 13.56mhz DATA signal isn't limited to a few inches. That'll go for a quarter mile easy. What IS limited is the power it can send to "run" the chip in the card. The readers don't put out very much power, so the chip can only get enough juice through the antenna to run a full transaction cycle if it's a few inches away.
That distance can be increased by increasing the power on the reader, but they keep those card readers low power so it won't try to activate other nearby cards. Also it makes it harder for someone to walk by you with a pirate reader in their backpack and trigger a transaction since it's too far away to be practically accessed. But it can be increased a little. Door Access readers usually have adjustable power. They're normally set low so you have to press the card against the reader, but they can be dialed up quite a bit, enough to just be waking up to the door and have the card in your wallet in your pocket trigger the reader when it's 6 inches or even a foot away. But every time you want to double the distance, you have to quadruple the power on the reader. Since it starts at about 3mm, getting out to a foot requires about 1,000x the power, which is quite a lot to ask of a little reader.

I want to better understand how this technology relates to the fraudulent skimming of data from credit cards. Thank you for explaining how touchless technology works.

This method is much safer!*
*please purchase a RFID blocking wallet to ensure safety 😊

You made it sound like the chip sends static data along with a cryptogram, but that the cryptogram is just to authenticate the purchase while the static data is still freely available. If that was the case, what would stop somebody from making an nfc skimmer that just gets the static data to be used later with an online/magnetic strip purchase?

Great...🔥🔥🔥

The big security problem with this contactless tap thing is that anybody can use your card! If you drop or lose your card, somebody else can pick it up and use it until you've managed to report it stolen. That could be quite a while, if you don't immediately notice that your card is gone.

That's all great unless someone steals your card. A safer approach would be to require a PIN in addition to the tap. Still convenient, but much better protection.

It's amazing how the U.S. is so behind the world with payment methods. I don't recall the last time I had to swipe a card, but it's been years. Not only can we tap credit & debit cards, we can also use our phones. The phone also creates it's own receipt. Also, we can tap a transit pass. I have my account configured for me, that is senior's fare. When I want to hop on a bus or commuter train, I just tap my card. I can add funds to my card on line, with their web site, or with a phone app. The card is valid on several transit systems and the fares are integrated, so that the cost over multiple systems is cheaper than the total of the individual fares.

Australia had this widely adopted easily at least 10+ years.
I’ve had American customers (I own a business near a large university, with few American academics around) puzzled that my business do not accept cards with signatures.

whenever I forget my wallet I'm glad to know I can always pay for things with my phone

Great explanation

Incredible! Wow.

The killer app for contactless for me was that you didn't have to put in your pin, as opposed to using the chip

most (if not all) of these technologies are American invention / innovation. but there are a few reasons why they may not be wide spread in the US, including inertia, preferences or even regulations. it is easier and cheaper to adopt a new technology if you hadn't spent as much building up complex and expensive infrastructure for the previous version.

We’ve been using tap for years in Canada. I remember using it up here, driving across the border to Niagara Falls and I had to use the swipe in stores there. Found it strange that we were more advanced in technology than the states were.

Tap and card insert connect to the same chip so have access to the same information. If a reader can be hacked for reading the chip it can be hacked for RFID. Commercial RFID readers may only have a few centimeter range but they can be made to work over longer distances like any other transmitter. So someone can stand near you and read your card. Fairly tough for someone to stand near you and insert your card into a reader.

I'm from Mexico and the implementation of technology in our country usually depends of USA's pace.
Contactless paying has recently been introduced here and one issue we have with this is that most terminals don't ask for a PIN/ ask for a PIN after a really big amount of money. Imagine your wallet is stolen (very common) and you suddenly lose 20% of your monthly income. If banks minimize this limit, then the experience would be perfect.

I still do not understand why Wal-Mart doesn't have apple pay/tap to pay. Even smaller businesses have access to the tech with companies like square yet a retail powerhouse doesn't have it. 🤨

What if we can customize our tap card if ordering online? The color or the pattern at least.

Great tech but here in NZ the Tap 2 Pay setup is bound to credit cards. Ultimately the end users pay more and the credit card crowd milk it.

However NFC paired with UPI ( free money transfer of India) could be a game changer

While the whole world is still using card, taptopay and wallets. India's revolutionized the payments shstem by UPI. Literally paying in my country is so easy af.

Some POS machines outright used to cancel the transaction when I paid via my phone's wallet, and currently (I think those are the same machines) work on the second try, but yes it is still a truly magical experience.

Did not know that! Very interesting

convenient but increases theft risk

My issue with tap to pay is that all the readers have the tap spot in different places. If you save 1 second, but you spend an extra 5 tapping the wrong place, it’s better to just insert. If they could standardize the tap location (or, frankly, if I could remember to look every time before I tap), I’d use it more often.

I have finished the job watching, commenting, liking and subscribing

I got my first ever non prepaid card in 2018 and it was swipe or chip only. It wasn't until that card got replaced due to my account type switching that I got a tap to pay card. As for using my phone, it isn't really any easier than taking a card out and paying unless the phone is already in your hand at the register. Regardless, I will usually use tap to pay on my card when I know it is available. It's just I know tap to pay cards seem to have just suddenly became more popular during COVID and most cards didn't have it before hand. Even the chip didn't become common until a few years before that.

It felt so natural going to Europe from Canada. I feel even more foreign in the US.

Tap to pay was shown when first introduced in 90s to be a HUGE SECURITY flaw. as all one needs to do is walk through a crowed group (club, dance hall or crowd) with a powerful rfid reader. The rfid card data can be stolen easily without the owner even knowing. Those cards were withdrawn from market because they were an obvious security risk. Well, now in modern times when sanity has been replaced by insanity - this is seen as a 'great option'. All we collectively do with more and more time, is sink in intelligence.

Good video, but I feel it does not completely resolve my concerns about Tap-to-Pay. 1. Wallets and purses frequently have "RFID blocking" features. Are these needed? Initial fears about Tap-to-Pay described situations where thieves would hold a reader close enough (under a coat or in a bag) to another person's wallet/purse, and activate the payment card, and do a transaction without the card owner's knowledge. Is this possible or feasible? 2. What is to stop a really experienced hardware hacker from building a Tap-to-Pay terminal that has a greater range than 4cm? Yes it would use more power, but if the range was increased, then my first question/concern applies even more.

The USA is so advanced and backwards at the same time that is so confusing.
We don’t use magnetic strips for at least 14 years ago, we have contactless since 2010 but not in every card but since 8 years ago every card have it, eve school cards are nfc.
We have a limit for transactions of 50€ , and three transactions after that it asks for the pin.

If it’s safer than why are there all these local news stories of people being forced to use tap to withdraw $ from ATMs (the swipe was purposely broken on the machine) and then scammers are able to withdraw all their $ from their bank accounts when they leave?

I’m amazed at how much more integrated tap to pay is in Canada than it is in the US. I can’t remember the last time I had to use my chip, and I don’t think I’ve used the magnetic strip swipe in probably 10 years. Who knew we were living in the future up here?! 🫎 🇨🇦 🍁

Such a great human invention

Yeah it started in India around 4 years ago and I have never pay with card any other way. I have even registered my card to my mobile's NFC so that I can make payments through phone directly don't even have to carry the card around

I haven’t used cash in years and will never go back.Just tap and go with my phone.

Card reader on mobile phones, an easy way to pick pocket people without touching them

Makes card cloning easier 🎉

We’ve had contactless payments since 2013 in Saudi Arabia 🇸🇦 😊

It's one step closer to the dystopian future of "In Time."

Canada has had this for 10 years lol