[lxgr]

> Using a phone to pay for stuff is an opsec nightmare

Do you mean "privacy nightmare"? Security-wise, Google Pay beats using your physical card since it uses a device-specific number that can't be skimmed by terminals and reused online.

> the custom rom is still far more valuable from a security perspective than bending the knee to some bespoke ecosystem payment app (especially if you have an older device.)

I'd argue that it only makes sense if you have an older device that's otherwise not receiving any more security updates.

[kaszanka]

AFAIK it only beats magnetic stripe cards, not EMV chip cards

[lxgr]

EMV chip cards still contain your card number and expiry date.

Skimmers would need a way to also learn the CVC2 from the back of the card to use it at most (but not all!) online merchants, but that's feasible using a small camera or a waiter/cashier accomplice doing the skimming.

With Google Pay and Apple Pay, and similar mobile wallets, that number is never shared during payments (and in fact not even stored on the device).

[jjmarr]

They do, but you can't get the card number from reading the chip. The protocol is a challenge-response one based on a private key stored within the chip.

https://en.wikipedia.org/wiki/Chip_Authentication_Program

You need to read the entire card number + cvc2 + expiry date with your camera. That's not skimming, that's just taking a photo of the card.

[lxgr]

No, you can most certainly get the card number and expiry via the chip and even over contactless, as it’s a vital part of transaction routing/processing. There are Android apps that can do it.

[jjmarr]

If I could I'd delete my original comment since I did more research and you're right.

https://stackoverflow.com/questions/14861908/apdu-command-to...

[worewood]

Yeah, and it's easily solvable with a sticker or a dremel to scrape the number off

[lxgr]

You can't dremel it out of the chip, though.

[justinclift]

Well technically you can. The card won't be so usable after that though. ;)

[M95D]

Any responsible user will learn the CVC, like any other password, and then erase it from the card.

[didntcheck]

I can certainly remember mine from repeated use, but I can't say I've ever heard of someone erasing it

[catlikesshrimp]

I have done it since many years ago

[justsid]

You can always tell what part of the HN regularly goes outside and interacts with normal people. I’m sorry but “just memorize the CVV and erase it from the card” isn’t something anyone really does. The comment that Google Wallet is more secure is a generally applicable comment.

[lxgr]

That seems like a lot of extra effort for something that's arguably not your opsec problem, but that of the card payment industry.

In the end, you'll always have to enter it on payment websites anyway.