Nostr Web Client

Or to phrase it better

Is it possible to read the tag without authentication and does having the data on the tag provide full access to the safebox

Tim Bouma 7mo ago

Yep, you can read the tag. Layered security my friend.

Encrypted tag, needs to be read by the acquiring server that signs any requested that are forwarded. The wallet service is accessed via a NWC secret (encrypted on card) that can be rotated at will. The wallet nsec is not exposed. Only the NWC service has the full security context to do anything on behalf of the user. The encrypted tag , if spoofed, can only be submitted by a 'trusted' server - an npub on a white-list otherwise the call won't be honored. Can easily graft on real-time fraud detection at the NWC server, if I want. Just another layer.

Still implementing all the pieces, but a layered approach.

Reply to this note

Please Login to reply.

Discussion

semisol 7mo ago

Okay so it’s basically an overly complicated way of saying cloneable magstripe

Tim Bouma 7mo ago

But it's cheap!

semisol 7mo ago

For $1 more you can get about 50x more security

Tim Bouma 7mo ago

Which is perfectly fine. I can layer that all back in when the time is right. The goal is accessibility first - enable someone's crappy Android phone to send and receive payments, first.

And by the way, $1USD is about a day's wage in most parts of the world. The tags, I can get as low as $0.10 and whi h can be provisioned and used without a phone.

Don't get me wrong, I take security very seriously, but in certain parts of the world, you can't even carry a phone with you, much less have the updated gear to read a smart card.

semisol 7mo ago

If you can read an NFC tag you can read a modern smart card

Tim Bouma 7mo ago

Technically yes, but those smart card are looking for some extra stuff before they return anything.

As I stated earlier, it's easy to layer this stuff on later, when warranted.