Comment by sethhochberg
2 years ago
Personally, I am substantially more suspicious of whatever random wifi network I’d need to connect to in this scenario than I’ve ever been with payment terminals out in the wild. There so, so much more attack surface on my phone than there is with my credit card - and resolving fraud on the credit card is as easy as a phone call to the issuer (at least in the US). No such luxury if my device gets pwned or networks are MITM’d or I’m associate to suspicious activity originating from this network.
While a random WiFi network isn't what I'd love to join too, at least it's an option for receiving a code through an encrypted channel (push notifications).
If that encryption can be MITMed, then there is a much bigger problem as any traffic can be MITMed at cellular network level anyway, voiding out any WiFi-MITM concerns.
The PoS asks for the pin in sales > 50e for 99% of population, you can change your personal limits but still
this is not sms 2fa/based but a physical/android based pos to charge the bank lends you