I'm looking to perform authentication of a user in a mobile app, through nfc read of a visa card.
When checking what's provided in the result of this "nfc read" (though the use of publicly available apps, for example), I see the card number, expiration date...
But my concern is that this data can be obtained through a phishing website or by social engeneering.
Is there some kind of "technical id" that can be fetched through nfc and allow to identify the card, but that the user could not see directly (so he or she cannot be tricked into providing it to a fraudster)?
Hi, @ryden. Thank you for your question! Our agent is looking into this and will get back to you with more information as soon as possible. -Jenn
I'm getting that the ideal solution would be to perform an Offline Data Authentication (ODA) with Dynamic Data Authentication (DDA): a challenge generated by the app and signed by the EMV chip over NFC, with a key provided in a certificate itself signed by Visa?
That way the app would be autonomous to ensure that the detected card is an actual one, with an offline single-use challenge cryptographicaly signed by Visa, am I right?
The Android API seems to give low-level access to the NFC, so it should be possible.
On the Apple side, I'm not sure if it's possible, as it's a procedure usualy performed directly by the apple wallet?
Is there any documentation on how to implement this challenge (DDA ODA over NFC) in Kotlin & Swift?