zlacker

[parent] [thread] 13 comments
1. codeth+(OP)[view] [source] 2025-04-13 12:32:03
> If you consider creating own NFC payment app instead of Google/Apple Pay - that's actually possible

Is it? Last time I checked, Apple & Google were also interfacing with banks on the server side, i.e. banks had to integrate with Apple/Google specifically. I'd love to be wrong, though.

replies(2): >>palata+m8 >>dzikim+i41
2. palata+m8[view] [source] 2025-04-13 13:52:04
>>codeth+(OP)
I believe that for a long time, Apple was preventing the use of NFC (or was it just for payments?). The EU Digital Markets Act is supposed to prevent them from doing that, as part of the "interoperability" part. And I think the DMA is great in that sense.
replies(1): >>codeth+Ro
◧◩
3. codeth+Ro[view] [source] [discussion] 2025-04-13 16:10:19
>>palata+m8
True, on iOS access to the NFC chip has been a additional blocker. But on Android apps have been able to use the NFC chip just fine and it's still not that easy to write a generic "wallet" app (that's compatible with all banks & cards), see my previous comment.
replies(1): >>charci+zw
◧◩◪
4. charci+zw[view] [source] [discussion] 2025-04-13 17:19:49
>>codeth+Ro
>But on Android apps have been able to use the NFC chip just fine

The last time I looked at it, it was not possible because Android doesn't let apps control the uid that gets used for NFC.

replies(2): >>codeth+mH >>j16sdi+Kb4
◧◩◪◨
5. codeth+mH[view] [source] [discussion] 2025-04-13 18:54:51
>>charci+zw
Ah right, good point. I did forget about that.

Either way, even if apps had full control over the chip, my understanding is that building a wallet app would still amount to much more than just interfacing with the NFC chip.

replies(1): >>dzikim+361
6. dzikim+i41[view] [source] 2025-04-13 22:45:58
>>codeth+(OP)
It's optional if you want "add to wallet button".

That's not related to ability to create own app - on both ios and Android you can access NFC hardware directly (on iOS it's limited geographically), and send card data as you see fit - Google & Apple do nothing in such case.

◧◩◪◨⬒
7. dzikim+361[view] [source] [discussion] 2025-04-13 23:06:02
>>codeth+mH
You need connection to card scheme, which means you need ton of paperwork, which means you need ton of money. That's biggest issue :-)

For technical side - there are companies selling complete SDKs.

replies(1): >>codeth+Ua2
◧◩◪◨⬒⬓
8. codeth+Ua2[view] [source] [discussion] 2025-04-14 12:40:03
>>dzikim+361
Could you elaborate? You seem like you know quite a bit about this topic.

While I've known that building a wallet is not as simple as configuring the NFC chip and one would have to interface with banks on the backend etc., I've failed to understand exactly why. What prevents a phone from emulating a regular physical credit card?

replies(2): >>dzikim+Jm2 >>charci+1P2
◧◩◪◨⬒⬓⬔
9. dzikim+Jm2[view] [source] [discussion] 2025-04-14 14:00:40
>>codeth+Ua2
On technical level - nothing. Thing is, that payment card is basically private key, that's derived from master key controlled by the bank. This key signs your transactions. Tokenization adds some extra steps (eg. single use keys), but it's fundamentally the same.

What it means - you cannot obtain working card profile if bank doesn't issue it to you. Therefore you need blessing from bank & card scheme to be connected to this ecosystem.

If you want to go deeper into this rabbit hole I can recommend two sources:

* https://developer.mastercard.com/product/mdes - Mastercards framework for tokenization

* https://developer.verestro.com/books/token-requestor - actual solution. It focuses on offering for single issuer, because market for Google Pay competition is pretty narrow, but technically it's mostly the same + way more red tape.

If you ever decide to try - ping me, I happen to know a few guys there :-)

replies(1): >>codeth+zj9
◧◩◪◨⬒⬓⬔
10. charci+1P2[view] [source] [discussion] 2025-04-14 16:34:48
>>codeth+Ua2
>What prevents a phone from emulating a regular physical credit card?

If this were possible fraudsters would be easily be able to clone people's cards by getting close to them. The protocol was explicitly designed for this to not be possible. There are secrets that live on the card itself and are not exposed

replies(1): >>palata+Px4
◧◩◪◨
11. j16sdi+Kb4[view] [source] [discussion] 2025-04-15 02:14:54
>>charci+zw
Many NFC chip don't allow setting uid either, and none of the EMV card require cloning uid
◧◩◪◨⬒⬓⬔⧯
12. palata+Px4[view] [source] [discussion] 2025-04-15 06:54:02
>>charci+1P2
So a phone can totally emulate a regular physical credit card, if it has the private key.

Behaving like a credit card does not mean that the credit card is clonable.

replies(1): >>dzikim+4s6
◧◩◪◨⬒⬓⬔⧯▣
13. dzikim+4s6[view] [source] [discussion] 2025-04-15 19:04:31
>>palata+Px4
Yes, if you want to write an app, that will generate transaction conforming to the protocol & will use your card number it's actually very short programy.

With some luck it will be even routed to your bank. Then it will fail due to invalid authentication. I think there's a defcon talk on YouTube that details the exchange.

◧◩◪◨⬒⬓⬔⧯
14. codeth+zj9[view] [source] [discussion] 2025-04-16 17:29:57
>>dzikim+Jm2
Thank you so much! That's very enlightening!

> If you ever decide to try - ping me, I happen to know a few guys there :-)

Ha, I have actually been entertaining that idea for quite some time, but it seems rather difficult to penetrate that domain as an outsider. The links you shared only seem to confirm that. :-\ I'm not sure I would even want to compete with the Google/Apple Pay duopoly, for now I'd mostly just be interested in an open-source, privacy-preserving solution for contactless payments.

Anyway, you might want to add your contact info to your HN profile – just in case. ;-)

[go to top]