How secure is payment with Google Pay or Apple Pay?
This article explains everything from hardware to data protection about the new contactless payment.
Let’s get started!
The technology used – NFC
Near Field Communication (NFC) is a way of wirelessly transferring data between two electronic devices in both directions over a very short distance (4 cm or less).
To use NFC, you need a smartphone with an NFC chip, which is a thin, large-area chip with antennas and circuitry.
In 2010, the first mobile phone received an NFC chip – nowadays it is built into most mobile phones as standard.
Steffen Lippke
Your smartphone injects electricity into this chip, which sends electromagnetic pulses. The antenna can receive and process the signals via induction (conversion of electromagnetic pulses into electricity).
Over 13.56 megahertz, the receiver sends out a weak signal. For communication to take place, receivers must be almost directly together. The receiver must actively generate electromagnetic radiation while the other side passively waits for the impulses.
How secure is this transmission?
Unlike W-LAN, NFC is intentionally designed for short distances.
In the best case, your W-LAN signal is encrypted with WPA-3 and no one can listen in. With the NFC standard, it should be possible to exchange data easily. NFC often only imitates a secure connection – who wants to communicate with whom? Nevertheless, the necessary technical equipment can eavesdrop on an NFC signal.
Near or far – secure is different!
Even if the signal only reaches 4 cm, attacks are possible:
- The first device taps the signal from the NFC transmitter card
- The first device converts the signal into W-LAN
- The second device receives the W-LAN signals and converts them again
- The second device transmits the NFC signals to the NFC receiver
Modification possible
The attacker can modify the signals if he wants to. NFC transmission does not guarantee that the signals are encrypted and transmitted unchanged. This means that an attacker can, for example, pay at a cash register without you having to be in the same room.
What your mobile phone can do with NFC
The NFC module of your device manages the Android operating system. Apps can use this radio technology in three different modes:
Read and write – Many use cases
Your phone can write to or read from a passive NFC tag (without power). NFC tags are plastic cards or stickers that contain NFC circuit. Through the transmitted signals and the induced current, you can write data to the passive plastic metal cards. These are used by industry, e.g. to label goods.
Data exchange – the main task
Between two active NFC chips, e.g. between two mobile phones, you can send messages or exchange data in general. You use this mode when you stand at the checkout and pay. The cash register terminal sends you information, for example, about where the money should be transferred to.
Card emulation – imitating cards
You can digitize all your NFC-enabled physical cards with a wallet app. The NFC circuit of your mobile phone describes itself so that another sensor believes it is a passive card.
Deeply integrated encryption
The new Android and iOS smartphones use a security chip that is itself a stand-alone computer. It only performs cryptological tasks and is also responsible for your wallet, for example. This computer stores keys, for example, which the main computer of your mobile phone cannot see. The chip monitors all components of the system and the boot process.
Procedure for an NFC payment
First you have to connect your current account or credit card to the wallet at home. You can find instructions for this at your Bank. Once you have gone through this process, you can go shopping.
In Germany, not every merchant offers every payment service provider or even has a terminal for NFC. NFC payment or the use of credit cards is more expensive for small businesses and the necessary hardware has to be bought. In Norway, you can pay by card or mobile phone almost everywhere. This is partly due to the culture and society:
If you do find a merchant in Germany (often recognizable by the logos on the door), you can go shopping there.
- Look for the NFC symbol on the terminal or the cashier will direct you to a place.
- Unlock your phone
- Hold your smartphone close to the terminal. They do not have to touch
- Depending on the terminal or the amount, you have to release the transaction again with a PIN on the terminal or on your smartphone.
- The payment is made when the terminal beeps or the screen shows the transaction as successful.
Will my transaction data stays private?
In western countries, you have the option of using Apple Pay, Samsung Pay or Google Pay. These systems can be linked to some credit cards or current cards from banks. The digital payment service providers are not (yet) banks themselves, but they help to carry out the transaction. As a middleman, they pass on the necessary data:
- Amount to pay
- Name of goods
- Place and merchant
- Date and time
- Device used
- Bank used
One service provider for everything – data dystopia
All this information is very valuable from the point of view of the payment service providers because Google, with its AdSense advertising platform, can serve the appropriate advertising to the customer on websites and in apps. If the customer has already spent money on a product, it is very likely to happen again in the future.
The payment service provider is kind enough to directly analyse whether this could be fraud. If a fraudster uses the digital card, the analysis of the data can help the bank to block the card in time.
The payment service provider then also works as a credit rating agency like German Schufa, except that the provider has much more data about the person at its disposal than Schufa.
Where are the alternatives?
Anyone who now says “I’ll switch to an open source app” – I have to disappoint them:
Until now, there is still an open wallet because most payment / card service providers want to cooperate with large big-tech corporations instead of supporting an open source development. The banks prefer credit reporting and data analysis and give away their payment processing privilege for this. The people who consider their data worth protecting are left out in the cold.
“Data-saving” alternative
If you don’t want the provider to share your transaction data for promotional purposes, then use the card directly. The card is a passive NFC tag that can transmit data to the terminal. Most cards today are equipped with this because the banks want us to buy more cashless.
Best alternative
If you want to pay anonymously, you have to use your cash. Even the banks, even if they are subject to the DSGVO, can use the data. It is particularly interesting, for example, to grant loans when the customer is short of cash every month. With cash, this is no longer a problem.
