Comment by can16358p
2 years ago
And how does the PoS machine work then?
In the edge case where there is no cell service yet the PoS device has connectivity (e.g. WiFi or other cellular service) they might set up a WiFi access point for users to get push notifications (assuming the 2FA method is not archaic insecure SMS).
Personally, I am substantially more suspicious of whatever random wifi network I’d need to connect to in this scenario than I’ve ever been with payment terminals out in the wild. There so, so much more attack surface on my phone than there is with my credit card - and resolving fraud on the credit card is as easy as a phone call to the issuer (at least in the US). No such luxury if my device gets pwned or networks are MITM’d or I’m associate to suspicious activity originating from this network.
While a random WiFi network isn't what I'd love to join too, at least it's an option for receiving a code through an encrypted channel (push notifications).
If that encryption can be MITMed, then there is a much bigger problem as any traffic can be MITMed at cellular network level anyway, voiding out any WiFi-MITM concerns.
The PoS asks for the pin in sales > 50e for 99% of population, you can change your personal limits but still
this is not sms 2fa/based but a physical/android based pos to charge the bank lends you
PoS can do offline transactions and sync them later, if the merchant is willing to accept the risk.