Apologies if this was previously answered, I did a few searches and didn’t see a specific answer
I can hazard a guess, but I’d enjoy a bit more explanation if possible
Apple Pay uses tokenization ( at least as far as I understand it)
Is there anyway you could copy or clone, a token for a single use? It would stop working afterwards, and hopefully you could put a new one on later with nfc
It is totally not the solution we want, but it WOULD scratch the itch a bit
Probably not since the tokens are basically generated on the fly and likely if not actually used (processor doesn’t detokenize) it would likely expire pretty quick… but there are provisions for “offline” tokens as well… but I’m also pretty sure the actual interaction between phone and terminal even for offline transactions includes some crypto action to challenge / response verify the transaction as legit… much more research is needed.
Why must you crush my dreams?
I kinda figured
Hah really though it’s a good thought… the question really should be settled by research though… I just don’t have the bandwidth
This would basically be a man in the middle attack right? It has been done on non-tokenized cards but seems that updates have made it no longer feasible with them.
Also found this. Seems there’s a secret key generated by the device also to keep you from stealing tokens.
Each Apple Pay transaction produces a unique value that ensures that the transaction is coming from an authorized device. This unique identifier along with the token and the cryptogram used to authorize the transaction ensure that even if the token is stolen it can’t be used from another device because the token must come from the device to which it was registered. Additionally, the token is calculated with the transaction amount, and therefore even if it was intercepted in transit, it could not be used by an attacker to perform another purchase.
Bastards…
How dare they make the system secure
Nor do I unfortunately, or an iPhone.
My basic understanding is during tokenisation setup the token exchange is all done by key wrapping - ie a public key (or DH exchange) from the phone, signed by Apple in the factory, to the issuing server, which uses it to wrap the token and send to the phone. You’d need to break into the TrustZone (or equivalent) to get the key to unwrap with - which is unlikely to be doable.
Only thing I understood from that, is you don’t like me and don’t want me to have a magic hand that can pay for stuff
Lol
I figured there was reasons…
Hahahaha - no, we’ve got a bunch of conflicting projects, and I want everyone to have magic hands like myself, but banks get mad when you hack their shit to get your way.
What the hell is this world coming to…