Still, neither of the systems can be called perfect. I prefer QR, but we cannot deny that NFC, where it's supported, can be much more convenient to use (and of course, this means lower security).
Is it really any more convenient though? Open your wallet and hold it next to the terminal for a second or two versus open your wallet and point it at a QR code for a second or two. It really doesn't seem any different to me?
Well, with QR, you have to scan twice, right. So it's one extra step in a way. But a single extra QR code scan (usually doable in ~1s can hardly justify the weakened security.
And then the only problem remaining may be that NFC is not supported by so many devices (as QR would be).
I disagree here. NFC provides a route for data to enter and leave your device, which has the potential to be exploited. Who's to say someone can't develop malware which can be loaded on to your device just by standing or sitting near you, similar to RFID skimming? Unlikely, but possible. It's an unnecessary risk.
That's correct. When using QR codes, you know that data can only be exchanged when the phone is physically out of your pocket and pointed at a QR code, while NFC can work through clothes and inside bags without user notice. If I walk around with my phone in my hand and someone tries to hold a QR code in front of it, I'd obviously notice, while that can't be said about a powerful 'evil' NFC transceiver in someone's backpack probing for vulnerable devices.
with ocr being so advanced why are qr codes needed over just human readable strings? i cant translate a qr code by looking at it. even if the string was long between NFT capabilities and human readable addresses a better compromise could be made.
This is a terrible idea. Aside the fact that you can't verify a PSBT by just looking at it anyway, QR codes are much faster and reliable to scan through the pattern, alignment squares and built-in checksum / error correction. OCR often messes up things like l and I (lowercase L and uppercase I) or sometimes mistakes those even for a pipe |. It's even hard to distinguish for humans.
I was thinking how to test all wallets to see how exactly they are using QR codes and NFC chips in their devices.
Good idea; if you whip up a thread for it, I'd contribute by analyzing / sending in Passport v1 and v2 codes. Pretty sure it's standard PSBT (unencrypted) by looking at the code, but I have to verify. I also expect / hope this is the industry standard and only Safepal puts some closed-source encryption around it, but it would be interesting to gather info on all QR-based HW models in one place.
An NFC chip is always on. It can transmit without me noticing, which isn't possible with QR codes
Maybe you can turn off NFC function on smartphones but can you really prove you really turned it off, or it's just on stand by?
I know some phones can spy their users and perform some functions even if they are turned off, so best way would be to put phone or device in faraday cage bag.
This is kind of off-topic, but I'm following
Framework's developments and recently they mentioned starting development for a new 'product category'. I really hope it will be a Linux smartphone with hardware toggles for sensors and antennas, just like on their laptop. I don't have it, but would buy it if I needed a laptop, from what I've seen about it so far.
Security risk of connecting to WiFi is the same as connecting to internet any other way. I don't think there is any way to inject anything into your device through WiFi, but it is trivial to inject something through a direct connection via cable.
This is not true.
Wi-fi has multiple times higher risk, especially if you are using public spot network.
Well, if you know all the websites you visit and all the applications / programs you use, are restricted to HTTPS and deny connections to outdated SSL / TLS standards, it should be safe to use. In practice, it's not so simple to ensure this, so any data transmitted without encryption to an open WiFi router, can be intercepted and read by anyone. One mitigation would be using a VPN, since that 'packages' up everything, no matter if HTTPS or HTTP traffic, however VPNs pose a risk themselves, too. Soo
'I don't think there is any way to inject anything into your device through WiFi' is honestly wrong.