The loophole seems to be having an app pinned to the screen (I’ve never done this, but it presumably keeps the phone from locking) while requiring you to have an unlocked phone to use NFC payments. This doesn’t seem to be a common scenario (I can imagine doing this in some sort of kiosk mode, or giving the phone to a kid and locking the app so he can’t wander around).
This is why Samsung pay is king, the NFC only turns on when you’re using Samsung pay otherwise it stays off
Turn off NFC unless you are using it at that moment.
Woah, first I learned of this. https://www.lifewire.com/turn-off-nfc-to-secure-your-android-smartphone-2532822
Kinda sucks that there’s no quick button for that. I can turn off Bluetooth, wireless, auto-rotate, etc in a single setting but not NFC?
Many Samsung devices have a quick button for NFC toggling in their drop down menu, not sure about other phones though.
I thought Google wallet generated a unique card id for every transaction.
This is a interesting bug, but I think fairly niche. Not many people use app pinning at all.
If the PoS supports tokens, it’ll use unique tokens for each payment. If the PoS doesn’t support tokens, the phone has a virtual credit card number linked to the real one, so if it does get stolen, you can just remove the card from your Google Wallet to deactivate it. Your real card number is never exposed.
Even then, credit card numbers on their own aren’t that useful anymore. Any online payment needs the CVC and PoS devices usually require chip or tap cards, which don’t use the number. On top of that, credit card companies have purchase price restrictions when using swipe because of the security risks vs chip (which is why most PoS devices don’t support swipe anymore).
great
