> Surely this is massively vulnerable to double spend attacks?
FeliCa uses mutual authentication with eventual bookkeeping and sync. I believe that there are some theoretical attacks on older cards but the terminals are regularly synchronized and get a ban list. In-practice, you’ll also be reported to the police, probably.
My understanding here is that there's less risk of double spends here because of the extreme difficulty of cloning the smartcards involved.
So to execute the double spend you would have to find an authorized card provider, convince them to load and sign your double spend-capable program onto the smartcard (with their signature!), and then be found out within a week when reconciliation is off.
So doing a double spend will be found out, and not only will you be on a bunch of cameras doing the thing, whoever made your card will also have been compromised.
I think that in practice the "eventual" reconciliation is fairly quick nowadays. Just that the offline spend can happen quickly, and then the packet gets sent over the wire maybe a minute later rather than before the spend is approved.
It's really not that big of an issue when the spends are reasonable sized (e.g. public transport). You don't need to prevent literally all fraud, just enough that it becomes an acceptable cost of doing business. Fielding customer complaints because they couldn't ride due to an offline reader isn't free either.
> I think that in practice the "eventual" reconciliation is fairly quick nowadays. Just that the offline spend can happen quickly, and then the packet gets sent over the wire maybe a minute later rather than before the spend is approved.
This is definitely the case, and it's also "relatively instant" in the happy path. There are cases like vending machines, or during system outages where the reconciliation happens much later, but those instances are definitely becoming rarer!
Maybe you can, but I had the impression that it would be quite difficult given physically unclonable function-y stuff. Handwave-y and I have no clue if Suica-style payments use it but that was my impression.
It's been in widespread use for a while at this point so in practice probably not. I imagine the authentication keys to present as a card are very tightly controlled and not just anyone can become a provider.
In Taiwan, there is a similar system called EasyCard. That works offline.
...And as you expect it is vulnerable to double spend attacks. Hilariously the vulnerability was revealed in 2014 and nothing has been done to mitigate it. Yes, you can double spend in Taiwan today if you don't mind risking jail time.
From my (rudimentary) understanding of CAP, there is no prefect solution to this. I wonder how Japan handles it.
Not really - what's the attack? You could maybe somehow clone a card with a balance on it and spend that balance twice, if you can figure out that a particular terminal is offline (or have a way to take it offline), but how do you turn that into an attack that you can scale enough to cover the fixed costs? You're not getting your own terminal without a contract and due diligence on your company, so you can't really pull off an attack that needs to control both sides.
FeliCa uses mutual authentication with eventual bookkeeping and sync. I believe that there are some theoretical attacks on older cards but the terminals are regularly synchronized and get a ban list. In-practice, you’ll also be reported to the police, probably.