0

(So guess what I got for Christmas...)

While I do appreciate the tech and some of the features in the smart watch, I am skeptical of it's biggest feature -- the Pay feature which essentially duplicates your credit card's magnetic info and stores it within the watch (or the phone it is paired with? not sure on that). It is great to just walk up to a payment terminal and bring your wrist close to it and the smart watch does the payment for you by surrendering the stored card info. Not that it is such an awesome feature that I would buy a smart watch for that, but since I have it now I am thinking of using it.

Making my question more generic to all smart watches and IoT devices that have such auto-pay features: from a security standpoint, how safe is it to store your credit card's magnetic info on a smart watch like that? Is it about as safe as storing it on your phone or on a website like Amazon? I worry that a smart watch's OS might be easier for attackers to target since it is more likely to have security vulnerabilities than a more mainstream and major OS like Red Hat or Mac OsX (not saying these don't have major vulnerabilities but still...). So if I have my credit card stored at a bunch of places like Amazon, Android phone, smart watch etc., attackers are more likely to target something like a watch to steal it from. Am I correct in this assumption?

Side note: I confess that I do not yet fully understand how the watch is able to act like a credit card to make payment at terminals. From what little I understand, it stores some limited one-time "payment tokens" that allow it to make payments.

whoami
  • 1,366
  • 9
  • 17

1 Answers1

2

How tap to pay works

Assuming you are not using magstripe emulation (Samsung is one of the few companies that do this), you will be communicating with the payment terminal in a similar way to how a contactless card would communicate with it.

How secure it is

The UK Cards Association says the following:

Reassure the customer that contactless is secure. Contactless technology uses secure technology (the same as chip & PIN) so customers can feel confident when using it to pay for items.

There is a maximum amount for a contactless transaction of £30 (if it is a higher value payment the customer will have to verify themselves). The card or device has limits built into it when it is being used for a contactless payment. This means it can only be used for a certain number of consecutive contactless transactions before the customer is required to perform a chip & PIN transaction.

All contactless payments, as with other card payments, are covered by the issuing bank in the event of fraud, so the customer won’t be left out of pocket.

All contactless devices rely on the same underlying, secure transmission technology. On mobile devices the cardholder’s payment details are held securely and may also be protected using a process called tokenisation . This substitutes the cardholder’s account number for a ‘token’ value that is only valid for transactions from that device

Like all technologies it has advantages and disadvantages:

Advantages:

  • The card number is tokenised, so your physical card number is not stored on your mobile device
  • The transactions are online (in the UK), so any fraudulent activity can be detected quickly.
  • Unlike magstripe, the terminal cannot just replay the data it recorded talking to a card to make a payment with another terminal
  • As the magstripe is not present, a skimmer cannot record the details and then use them to make copies of the card.

Disadvantages:

  • Storing your payment details on your device is another copy of the details
  • Depending on the device you may be able to pay without noticing, (On Android your screen must be on, but you do not need to unlock the device).

References

jrtapsell
  • 3,169
  • 15
  • 30