Nope. It’s an encrypted tag that only the issuing service can decrypt. The transmission is also signed and verified to confirm it’s coming from a white-listed issuer and acquiring service.
Discussion
If the holder has lost it, or think it’s compromised- they can immediately re-issue, rendering the old tag useless.
Or to phrase it better
Is it possible to read the tag without authentication and does having the data on the tag provide full access to the safebox
Yep, you can read the tag. Layered security my friend.
Encrypted tag, needs to be read by the acquiring server that signs any requested that are forwarded. The wallet service is accessed via a NWC secret (encrypted on card) that can be rotated at will. The wallet nsec is not exposed. Only the NWC service has the full security context to do anything on behalf of the user. The encrypted tag , if spoofed, can only be submitted by a 'trusted' server - an npub on a white-list otherwise the call won't be honored. Can easily graft on real-time fraud detection at the NWC server, if I want. Just another layer.
Still implementing all the pieces, but a layered approach.
Okay so it’s basically an overly complicated way of saying cloneable magstripe
But it's cheap!
For $1 more you can get about 50x more security
Which is perfectly fine. I can layer that all back in when the time is right. The goal is accessibility first - enable someone's crappy Android phone to send and receive payments, first.
And by the way, $1USD is about a day's wage in most parts of the world. The tags, I can get as low as $0.10 and whi h can be provisioned and used without a phone.
Don't get me wrong, I take security very seriously, but in certain parts of the world, you can't even carry a phone with you, much less have the updated gear to read a smart card.
put AI in it and Sam Altman might offer you a couple billion! You could beat Ivy to the punch 😂
In all seriousness, neat project, I like seeing all the work you're doing on this stuff.