zlacker

[parent] [thread] 7 comments
1. codeth+(OP)[view] [source] 2025-04-13 18:54:51
Ah right, good point. I did forget about that.

Either way, even if apps had full control over the chip, my understanding is that building a wallet app would still amount to much more than just interfacing with the NFC chip.

replies(1): >>dzikim+Ho
2. dzikim+Ho[view] [source] 2025-04-13 23:06:02
>>codeth+(OP)
You need connection to card scheme, which means you need ton of paperwork, which means you need ton of money. That's biggest issue :-)

For technical side - there are companies selling complete SDKs.

replies(1): >>codeth+yt1
◧◩
3. codeth+yt1[view] [source] [discussion] 2025-04-14 12:40:03
>>dzikim+Ho
Could you elaborate? You seem like you know quite a bit about this topic.

While I've known that building a wallet is not as simple as configuring the NFC chip and one would have to interface with banks on the backend etc., I've failed to understand exactly why. What prevents a phone from emulating a regular physical credit card?

replies(2): >>dzikim+nF1 >>charci+F72
◧◩◪
4. dzikim+nF1[view] [source] [discussion] 2025-04-14 14:00:40
>>codeth+yt1
On technical level - nothing. Thing is, that payment card is basically private key, that's derived from master key controlled by the bank. This key signs your transactions. Tokenization adds some extra steps (eg. single use keys), but it's fundamentally the same.

What it means - you cannot obtain working card profile if bank doesn't issue it to you. Therefore you need blessing from bank & card scheme to be connected to this ecosystem.

If you want to go deeper into this rabbit hole I can recommend two sources:

* https://developer.mastercard.com/product/mdes - Mastercards framework for tokenization

* https://developer.verestro.com/books/token-requestor - actual solution. It focuses on offering for single issuer, because market for Google Pay competition is pretty narrow, but technically it's mostly the same + way more red tape.

If you ever decide to try - ping me, I happen to know a few guys there :-)

replies(1): >>codeth+dC8
◧◩◪
5. charci+F72[view] [source] [discussion] 2025-04-14 16:34:48
>>codeth+yt1
>What prevents a phone from emulating a regular physical credit card?

If this were possible fraudsters would be easily be able to clone people's cards by getting close to them. The protocol was explicitly designed for this to not be possible. There are secrets that live on the card itself and are not exposed

replies(1): >>palata+tQ3
◧◩◪◨
6. palata+tQ3[view] [source] [discussion] 2025-04-15 06:54:02
>>charci+F72
So a phone can totally emulate a regular physical credit card, if it has the private key.

Behaving like a credit card does not mean that the credit card is clonable.

replies(1): >>dzikim+IK5
◧◩◪◨⬒
7. dzikim+IK5[view] [source] [discussion] 2025-04-15 19:04:31
>>palata+tQ3
Yes, if you want to write an app, that will generate transaction conforming to the protocol & will use your card number it's actually very short programy.

With some luck it will be even routed to your bank. Then it will fail due to invalid authentication. I think there's a defcon talk on YouTube that details the exchange.

◧◩◪◨
8. codeth+dC8[view] [source] [discussion] 2025-04-16 17:29:57
>>dzikim+nF1
Thank you so much! That's very enlightening!

> If you ever decide to try - ping me, I happen to know a few guys there :-)

Ha, I have actually been entertaining that idea for quite some time, but it seems rather difficult to penetrate that domain as an outsider. The links you shared only seem to confirm that. :-\ I'm not sure I would even want to compete with the Google/Apple Pay duopoly, for now I'd mostly just be interested in an open-source, privacy-preserving solution for contactless payments.

Anyway, you might want to add your contact info to your HN profile – just in case. ;-)

[go to top]