web/boltcard
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
boltcard/docs/CARD_PRIVACY.md
Peter Rounce aa49fce3ff
Update CARD_PRIVACY.md
2023-04-15 10:54:15 +01:00

2.7 KiB
Raw Blame History

Card Privacy

Payment tracking

This document describes the different levels of privacy possible with bolt card implementations.

Card NDEF

The URI that is programmed into the card and returned as the NDEF consists of three parts.

  1. The static part
  2. The encrypted part
  3. The authentication part
lnurlw://card.yourdomain.com/ln?p=A2EF40F6D46F1BB36E6EBF0114D4A464&c=F509EEA788E37E32  URI example

lnurlw://card.yourdomain.com/ln?p=                                &c=                  static

                                  A2EF40F6D46F1BB36E6EBF0114D4A464                     encrypted
                             
                                                                     F509EEA788E37E32  authentication
part use
static specfying the protocol and service location as a URI
encrypted unique id and counter values encrypted by the card
authentication a value to authenticate that the entire URI is as generated by the card

Card privacy levels

In order for the system to work, the card must provide the point-of-sale with a URL for the backend server. For maximum privacy, it should not be possible for the point-of-sale to identify the card any further than this.

Unfortunately, early implementations do not have this fully built out.

You can check your card/s by reading the NDEF value (e.g. with the NXP TagInfo app) to check for a static identifier or a static UID value. This will enable you to find the level of privacy that has been implemented on creating the card.

Privacy level Static id UID plaintext
minimal yes yes
good no yes
best no no

Minimal privacy (aka tracker)

An identifier is included in the static part of the lnurlw. This is used on the server side to look up the decryption key and the authentication key per card. This is how early systems were implemented and allows the point-of-sale devices to track the use of the card.

Good privacy

There is no identifier included in the static part of the lnurlw. This is made possible by holding the decryption key at database level. The authentication key is still recorded per card.

This protects against leaking of point-of-sale databases and log files, however, a untrustworthy point-of-sale could still obtain the card UID using proprietary NXP commands.

Best privacy

There is no identifier included in the static part of the lnurlw. In addition, the UID field is made inaccessible by NXP proprietary commands by using the Random ID feature.

This protects against individual card tracking by trustworthy and untrustworthy point-of-sale systems.