New NXP SoC Gives Android Its Apple Pay 122
dkatana writes: NXP, having worked with Apple on Apple Pay, is now launching its PN66T module for secure NFC mobile transactions — for Android. It's intended to implement the same functionality of Apple Pay. While NXP claims the module is OS independent, the features clearly indicate that Android devices are the likely recipients of the SoC. The PN66T is Europay, MasterCard, and Visa (EMVCo) certified, and also supports American Express ExpressPay, thus fully covering the three big credit card companies, ensuring compatibility and interoperability with existing and future payment methods.
Re:SoC? (Score:5, Informative)
SoC is system on a chip.
Re: (Score:1, Troll)
Re: (Score:2)
NXP is a huge secure element provider. (Score:5, Insightful)
NXP making a secure element for any OS is about as shocking as nVidia making a GPU.
That is what they do.
Re: (Score:1)
Yes, it is what they try to do.
Re: (Score:3)
Yeah, but see, since the apple marketing machine finally got around to making "replacing your credit cards" as essential feature of smartphones(in the US), everyone who already had all the tech to do it is eager to be the public face of doing it on Android.
nVidia making GPUs would be "news" if somehow it became popular and cool to discuss GPUs in public.
Re: (Score:2)
Everybody had USB but nobody used it until the iMac
That's how I remember it
Re: (Score:3, Informative)
Re: NXP is a huge secure element provider. (Score:2, Informative)
Umm, no.
Apple was the first vendor to ship machines that were USB only for peripherals. At that point USB had been on the market 2-3 years with virtually zero uptake.
They boot-strapped the market for USB peripherals , by shipping a lot of machines that were USB only. It would have languished for at least another 3-5 years otherwise , if not longer.
FireWire did not come on the scene from Apple for 2 years after that.
Re: (Score:2)
Re: (Score:2)
It's 100% fucking true.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Firewire is a bigger security threat than USB in many ways, namely that it is a bus with direct memory access, meaning it can read and write anything in RAM at any time.
There is a DMA component, a quick search reveals they haven't fixed that either yet. Bah.
The USB attack vector has nothing to do with USB itself; it's a flaw in a poor quality devices that allow their firmwares to be reprogrammed, enabling them to act as a different class of device.
This is both wrong and technically right. It has everything to do with the design of USB, and nothing to do with any "flaws" in "poor quality devices". The problem lies in that USB trusts the device to be what it says it is, even if that is more than one thing.
There is no reason Firewire would not be vulnerable in the same way, were a Firewire device's firmware made writable in the same way as the vulnerable subset of USB devices; only the exposure would be worse, given Firewire's DMA. Likewise with Thunderbolt, as it also has DMA.
Might as well add expressCard, PCI, PCIExpress, and anything else with DMA capabilities.
I love the fact that you can take over a computer by plugging in a storage device
Citation? Maybe there's something I missed, but I think you're thinking of this [pcmag.com], in which case: Nope. Well, no more than a device with direct memory access. In fact, a little less.
I was referring to WIred's story [wired.com]
Also, maybe try getting a USB3 hub that i
Re: (Score:2)
There is a DMA component, a quick search reveals they haven't fixed that either yet.
You mean that drivers can determine whether they, themselves, require DMA? That's no worse than the device having DMA itself; in fact, it's damn sight better, given that Firewire device doesn't even have to identify itself, let alone have that identity accepted by the system, to gain that level of access, meanwhile a USB device must identify itself as a device whose driver required DMA, that driver must be present, and it must emulate that device well enough to fool the driver into actually talking to it;
Re: (Score:1)
meanwhile a USB device must identify itself as a device whose driver required DMA, that driver must be present, and it must emulate that device well enough to fool the driver into actually talking to it; the bar is a fair bit higher with USB than DMA.
I didn't see any of that in the Wired story. It essentially stated: "plug it in, it infects your PC, Antivirus software is useless, and future USB devices plugged into your system can be infected". When Bruce wrote about it [schneier.com] along with quite a few others, the evidence seems to point to a rather bad security flaw.
If you're worried about USB, you need to be terrified about the other busses in your system.
The short answer to this one is I only usually have 1 set of devices that are relatively permanent for those other buses. It's not a thumbdrive that gets passed around.
Then why don't I see an issue with it when I connect 2 portable drives (bare enclosures in which I've put a couple of Samsung SSDs) via a USB hub? Also, if not a hub, why did you say:
"Hook 2 devices up to a USB 3 hub, watch yourself get lower than USB 2 speeds"?
I'd figure there'd be no reason to mention a hub if you didn't use one.
All USB controllers on motherbo
Re: (Score:2)
I didn't see any of that in the Wired story. It essentially stated: "plug it in, it infects your PC, Antivirus software is useless, and future USB devices plugged into your system can be infected". When Bruce wrote about it along with quite a few others, the evidence seems to point to a rather bad security flaw.
Well, as USB itself does not provide DMA (again, this is requested and handled at the driver level), a USB device can do absolutely nothing until the system recognizes it and starts talking to it (e.g. via a driver). You clearly didn't follow what you've read, or you'd understand that the nature of this vulnerability is that many devices don't have firmware programming disabled and can be reprogrammed to behave as other devices (in fact, you do seem to understand this, as you said "The problem lies in that
Re: (Score:1)
Which, of course, means the devices have to be identified by the system and a driver has to exist for whatever they identify as.
I was relatively sure that part of the problem was that the system's USB controllers could also be coopted by plugging in a bad USB device, whether the system recognized said device or not. At that point, as long as your system recognizes any USB devices, you're toast. Correct me if I'm oversimplifying the problem.
Firewire is still fairly widely used in media production, and the devices using it include cameras, control boards, and DAT decks, which do get passed around.
Yes it is, although disappearing rapidly, at least from the set of cameras I looked at last year.
And without USB, where do you think you'd plug that thumb drive?
I could see thumb drives going to a ROM only version in the near future. That solves the trust issu
Re: (Score:2)
I was relatively sure that part of the problem was that the system's USB controllers could also be coopted by plugging in a bad USB device, whether the system recognized said device or not.
Then you've not read up on the issue as much as your stong opinions on it would seem to imply.
Correct me if I'm oversimplifying the problem.
I've been trying...
I'll also bet your SSDs are on SATA connections, those are 1:1 internal, you mention that yourself.
You know what else I mentioned?
Then why don't I see an issue with it when I connect 2 portable drives (bare enclosures in which I've put a couple of Samsung SSDs) via a USB hub?
Indeed, I've been trying in vain, as you clearly don't read. Mind you, these are drive I use every day for high-speed media transfer. I'm sure I don't know WTF I'm talking about, though, and the world is just bending to my will. Right?
As you've shown a complete unwillingness to actually consider that you may be wrong, or to even read the posts you're replying to,
Re: (Score:1)
As you've shown a complete unwillingness to actually consider that you may be wrong, or to even read the posts you're replying to, let alone the linked information (because you're likely sure it'll prove you wrong), I think we're done here. I'm sure anyone reading this will have read everything, leaving you the only one who still thinks you're right.
And yet you completely ignore the reference to the explanation of why USB speeds are far far lower than what you'd expect, and why your sanctimonious statements are nothing more than anecdotal hot air. Take a good look at the following snippets: From the spec:
Just 1 Samsung SSD
Re: (Score:1)
got dropped prior to the line:
"Now we're down to 300 MB/s."
Re: (Score:2)
Re: (Score:1)
You're still side-stepping. I stated:
These are all true statements backed by references. I note that you mislead frequently by bringing in unrelated items (Tbolt, DMA, intentional confusion about hubs, etc). Because I keep moving back to these points mean I'm staying on topic, instead of going down whatever
Re: (Score:2)
there were performance issues with the USB bus
Were. Moving on.
running multiple connections on a single bus drop performance way way down
Not nearly to the levels you claimed. I have not disputed that there is a performance impact; in fact, I discussed that in one of my posts.
USB can be compromised with merely plugging in an infected USB device.
It cannot. You need to actually read up on BadUSB. I've pointed you to a few references, and you've pointed out a few, yourself, that you've clearly not read, or at least not understood. It's either willful ignorance, you not being willing to adming you might be wrong and go back and actually read, or you simply are incapable of understanding the subject
Re: (Score:2)
Re: (Score:1)
there were performance issues with the USB bus
Were. Moving on.
running multiple connections on a single bus drop performance way way down
Not nearly to the levels you claimed. I have not disputed that there is a performance impact; in fact, I discussed that in one of my posts.
Still are, per your own admission. But moving on.
USB can be compromised with merely plugging in an infected USB device.
It cannot. You need to actually read up on BadUSB. I've pointed you to a few references, and you've pointed out a few, yourself, that you've clearly not read, or at least not understood.
I trust certain people when they say "it is 'x' bad". Bruce is one of those. I briefly reviewed this again, and what I get out of it is if the bus is alive, this works. Obviously, if the bus is disabled, it's not going to be infected. So, is Bruce wrong?
BTW, I did learn that Macs since 2012 are no longer subject to the DMA attacks.
Yes, by way of disabling DMA for the Firewire bus.
Interesting, thought it was to create a virtually mapped 4GB space, thus preventing random reading of the lower 4GB of potentially OS memory which shouldn't have that significant an impact on performance. That
Re: (Score:2)
Re: (Score:1)
I reviewed them more carefully. I get the following: if the USB bus is active and in use, at least some of the attack vectors work. Perhaps part of the miscommunication is that BadUSB isn't just 1 attack, but many different potential ones. I wrap them all up (perhaps incorrectly for this discussion) as a single attack vector. While being a supported device certainly expands the range of attack possibilities, being unsupported by no means eliminates the threat. The controller on the host can still be reprogr
Re: (Score:2)
I reviewed them more carefully. I get the following: if the USB bus is active and in use, at least some of the attack vectors work.
BadUSB, by name, is a specific attack that requires cooperation of the host.
Perhaps part of the miscommunication is that BadUSB isn't just 1 attack, but many different potential ones. I wrap them all up (perhaps incorrectly for this discussion) as a single attack vector.
And there's our problem, yes. Perhaps, now that we've identified that, it's worth continuing this conversation.
While being a supported device certainly expands the range of attack possibilities, being unsupported by no means eliminates the threat.
But it does eliminate the threat we're discussing here.
Re: (Score:2)
The controller on the host can still be reprogrammed, for instance
In theory. In practice, it is the controllers on the devices that are being left in a programmable state; host controllers conforming to the spec aren't programmable from the USB bus, so a system susceptible to such an attack would be so in spite of the USB spec, not as a result of it. This is not BadUSB.
and the bus communications can be sniffed
Yes, as with any serial bus. However, the spec allows for shutting down ports with no recognized device connected, so the device would have to be recognized, or the host controller not compliant with the sp
Re: (Score:2)
in fact, several attack vectors occur before the OS is even in play
In fact, only one theoretical attack, based on a host controller violating the USB spec, occurs before the OS is in play (for purpose of a USB keyboard, the BIOS or EFI is the OS). This was discussed earlier in this very post and it is not BadUSB.
Finally, most systems will enable the keyboard USB device, so any claims of the original device not being supported are moot, since it can spoof itself as anything at any time, including the keyboard.
Wow! Now that is BadUSB! And if it spoofs a keyboard, it can do anything a keyboard can do. Nothing more. You can do some pretty awful things with a keyboard (as you've shown), but nothing on the level you're freaking out about. Spoofing a network adapter and sniff
Re: (Score:1)
you, sir, are wrong. That's what BadUSB is, reprogramming a device to behave as another device. Nothing more. Does it enable a variety of attack vectors that were previously impractical? Yes. But it doesn't do so entirely silently. I suggest you familiarize yourself with the USB spec [usb.org] to further your understanding on this matter.
I see where the problem is, BadUSB isn't at all what you think it is. Your hubris is poking you in the eye again. From the Wired story:
Re: (Score:2)
Re: (Score:1)
For the record, Wired isn't exactly a first-class source.
No, but I suspect you'll also find some issue with Nohl and Lell's presentation [srlabs.de], and also perhaps the BadUSB homepage [srlabs.de].
Re: (Score:2)
Re: (Score:1)
Since I managed to find that last quote on my own, but I still cannot find any reference to DMA in relation to BadUSB, I'll ask, instead, for a quote or reference for that. Again, greatly appreciated.
I think we've addressed everything else, so I'll clarify this one: the reference to DMA was to FireWire et al security issues, and the fact that DMA access won't allow you to reprogram your BIOS/EFI, at least not as far as I'm aware of. I meant nothing more by this statement, nor did I mean to imply that USB allowed DMA access.
To sum up, BadUSB is a demonstration program of a collection of USB attacks allowed by a combination of poor spec security and bad controller implementation. If the USB bus is live,
Re: (Score:2)
The point is that this shows the depth of what can be done given the current implementation and spec design short-comings
Except that these aren't shortcomings of the spec and, in fact, are never presented as such by Nohl and Lell. Quite the opposite, it is stated in their presentation that you (as a user) want these design features, the ability for a device to be multiple things (e.g. a video and audio device, a-la a webcam) and the ability for a device that can't talk to its driver to reattach itself to the bus as a CD-ROM drive to provide the driver. They referred to these as features, not flaws, and very clearly placed the
Re: (Score:1)
Except that these aren't shortcomings of the spec and, in fact, are never presented as such by Nohl and Lell...They referred to these as features, not flaws, and very clearly placed the blame on the devices, stating that the fix is to make the devices themselves not reprogrammable.
I agree that they are features, and that the devices being reprogrammable is a problem. That still doesn't alleviate the fact that a bus designed to carry adhoc device traffic has 0 security features associated with it. There's no cryptographic signing, no validation. No notification that a new device hooked up. Etc. Those are the deficiencies in the spec. It's like saying that DOS has no design flaws related to user security. You can argue that there was no intent to provide system security, but that prove
Re: (Score:2)
You obviously were not old enough to actually live through the 90's because if you had you would know that:
1) USB was not even part of the original Winows 98
2)Apple released the iMac in 1998 and only had USB ports, dropping all legacy ports
3) the iMac was released three years before the iPod
4) You suck at history
Re: (Score:2)
1) You're thinking of Windows 95 [wikipedia.org], which didn't see USB support until OSR2.1.Windows 98 did, in fact, ship with USB support [wikipedia.org].
2) USB 1.0 debuted in 1995, USB 1.1 in 1998 [usb-facts.com]. The iMac G3 did drop legacy ports as you claim, but is that a pair of Firewire ports I see [allusb.com]? Yes, becau
Re: (Score:2)
Re: (Score:2)
As opposed to what? A mag stripe?
An NFC chip requires the device be within millimeters of a terminal to activate. The payment system itself is anonymous and provides perfect forward secrecy of your financial information. To activate the payment you have to have to authenticate. That can be done with a pin or in Apple's case, a thumb print.
I will take that system over a stupid mag strip or even a chip and pin.
Re: (Score:2)
That's called "broken".
There ar
Re: NXP is a huge secure element provider. (Score:2)
RFID technology is a diverse group of tech. NFC requires near contact to activate. RFID used in passports are not NFC, broadcasts without authentication and does not encrypt the data. NFC is nothing like that.
Re: (Score:2)
I wasn't comparing this to RFID, I was just saying it was the same guy who did both.
It was proven that not only can NFC connections can be made from any arbitrary distance, credentials can be snarfed even when the phone is not making a transaction.
Distance for a transfer depends solely on the equipment used and size (or architecture) of the antenna. Anybody who knows much about RF will tell you the same thing.
Re:So Android DOESN'T have an Apple Pay equivalent (Score:5, Informative)
They do. It's called Google Wallet. Do literally any research, dude.
Equivalence (Score:5, Informative)
Functionnally: They are equivalent.
- In both case, it's a payment system, and supports NFC protocol so that you can pay wirelessly just buy putting the phone next to the payment machine.
Hardware-wise: They are not exactly the same.
- Google Wallet is just a generic payment system (like PayPal, etc.) In most phone, it's simply the OS (Android) being able to talk over NFC to the payment machine. It's up to the OS and Application to hangle security any way they choose (might or might not involve hardware - most implementation do not. But some smartphone did have some form of it).
- Apple's system specifically uses a separate piece of hardware: a TPM-like chip that is secured and hardened and holds the actual banking information (which never leaves the chip). Security is by definition handled by the specific chip.The whole systems works like a wireless credit-card with a smartphone bolted next to it, the smartphone being able to act as a GUI to the credit card, but the card handling the transaction themselves.
Some Android Smartphone did in fact work exactly like that. (Had a dedicated chip which was more or less a micro credit card, which handled the NFC talk it self and the smartphone merely interfacing with the card).
- NXP is a vendor of chip that makes hardware components for payment. They've worked on Apple's chip. They are now selling this chip for android smartphone manufacturers too.
Apple's emphasis is on security: They want their "dedicated non-hackable credit-card-on-a-chip" approach.
Google's emphasis is on making the technology available everywhere. High end phone will have a chip, low-end phone will simply emulate a virtual credit card by having a piece of software talk over NFC. But it's going to be available as widely as possible.
From a security point of view:
Meh.
Google's idea isn't the most secure ever: it rellies on the OS being good at correctly isolating and sandboxing apps. But bugs happen.
Apple's idea isn't perfect either. In theory, a separate piece of hardware is easier to make tamper proof. In practice, it's just a subpart of the same piece of silicon as the rest of the system (they are SoC. System-on-chip. Nearly the whole modern smartphone is a single chip) hacker are bound to find a way to leak sensitive data (I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic. If they can steal your crypto just by listening caps singing over a crappy mic, do you really think that a core on the same piece of silicon is isolated enough ?!)
(Ref) (Score:5, Informative)
I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic.
Ref [tau.ac.il]
Re: (Score:1)
Have you read the specification? The Secure Element of the NXP chip suports JavaCard.
That means you can implement any frigging payment system by writing Java code. The same is true for the NFC controllers built into Android Phones starting from the Nexus-S. Based on JavaCard as well.
The new NXP chip may have some new functionality, more RAM and storage, but from the functionality they are essentially the same.
This is no news. The technology for this has been around for several years now.
Re: (Score:2)
Google's emphasis is on making the technology available everywhere.
Google's emphasis is on saying "we did it first" without actually doing anything useful.
Google Wallet is not available outside of the USA. It works outside of the USA but it's not available nor supported. Actually that's a lie, it USED TO WORK outside of the USA with Google recently locking down the use of credit cards used outside the USA and not registered to addresses in the USA.
When Apple release most of their "ground breaking" features I typically just yawn and think it's about time they caught up.
When
Re: (Score:2)
You realize that political and regulatory reasons are harder to overcome than technical ones right?
Re: (Score:2)
That depends entirely if you try or not. What Google does is no different than Paypal, they offer an intermediate payment service. What Apple has done is significantly harder in terms of politics and regulations.
So why does Paypal work everywhere? Why has Apple had an *almost* round the world launch of their service? Why has Google Wallet been out 3 years (yes a FULL 3 YEARS) and yet not supported outside of one country so far?
All hurdles are insurmountable if you don't even bother attempting the jump. Goog
Re: (Score:2)
in both cases neither Google or apple relay your financial information to the vendor. Google generates a one time credit card number, apple uses a secure one time token as proof the funds are being credited to the vendor.
Re:So Android DOESN'T have an Apple Pay equivalent (Score:5, Informative)
Android has had a secure payment system, Google Wallet. Flagship Android phones used to include secure elements until Google implemented host card emulation in Android with KitKat. HCE eliminates the need for a hardware secure element. Europay, VISA and Mastercard have allowed the use of HCE for a while and American Express ExpressPay announced support for HCE a few days ago.
Re: (Score:2)
>> Android has had a secure payment system, Google Wallet.
Purchase data is shared with Google. By definition that is not secure
Re: (Score:2)
You better be using cash for all your transactions if you care about purchase history.
Your history, unless you are doing something shameful is not what people are after. they want access to your accounts and PH does not provide that.
Re: (Score:2)
Guess what - if you use Apple's wallet app, Apple will have access to your purchase data - or did you think Apple just hired all of the world's best psychics and decided to take 'em on faith?
Well, Apple "has access" in the sense that the data is there and they could upload it to their servers, but they won't. (You could argue that iCloud backup does so, but not in a way that they're collecting...)
Re:So Android DOESN'T have an Apple Pay equivalent (Score:4, Informative)
Except Apple doesn't.
Apple Pay is a virtual credit card. Google Pay is a debit account linked to a credit card.
When you use Apple Pay, the transaction details are between your bank and the retailer - Apple's involvement is in the set up part of the equation. Just like a credit card.
When you use Google Pay, the retailer hits your debit card (a virtual one when you set up Google Wallet), who then talks to Google to get funds to transfer to the account. Google gets all the transaction details because it's involved in the transaction.
That's the difference - Apple isn't involved at all in the transaction, and I'm sure that's true because every Android fanboy around is going to verify that fact for everyone.
It's also why Apple Pay counts as a card-present transaction, and Google Wallet doesn't.
Re: (Score:2)
It's also why Apple Pay counts as a card-present transaction, and Google Wallet doesn't.
From the retailer's perspective, actually, it does, as the virtual card Google Wallet presents is just as present as the details presented by Apple Pay. On Google's end, when they charge your card, it is not, so I guess you're partially correct. Assuming, of course, that you're funding your purchase with a credit card; it's a moot point if it's coming out of checking.
Re: (Score:2)
It is kind of hard to claim that for GW since you have to claim that, on top of someone stealing your device, they also have to have your wallet pin. then you have to explain why you did not suspend your wallet account when the device was stolen.
further more, you will probably get stuck with the charge if you failed to encrypt your device since you had the least secure technology in the chain of the transaction.
Re: (Score:2)
Re: (Score:2)
weird, since both Apple pay and Google Wallet carry the same costs for transaction.
Re: (Score:2)
>> Apple will have access to your purchase data
No they don't. Maybe try actually educating yourself before spouting off on a topic.
Big difference between VISA and my bank having my purchase data and me handing it over to an advertising company like Google. Never going to happen.
Re: (Score:2)
When you're wrong all you have left is insults.
Re: (Score:2)
Most mid and high end Android phones still use the secure element, which is also used for storing things like encryption keys. They are very cheap these days, much like how most business oriented laptops have TPM because it costs so little to implement.
HCE is so that very cheap phones can still do payments with Google Wallet. That will be really important in places like China, Asia and South America.
Re: (Score:2)
Re: (Score:1)
Long story short, I'm pissed that by 'upgrading' they took a feature I had and regularly used away.
Re: (Score:2)
HCE eliminates the need for a hardware secure element.
If you think that some software sandboxing is the equivalent of a "secure enclave" chip in terms of secure-ness, you're sadly mistaken.
I was under the impression that where phones have hardware (e.g. Nexus 5) it'll use it, and it provides emulation elsewhere so that Wallet can work across all Android devices with NFC, and the idea was to broaden support for the platform, not to say emulation is better or even preferred.
Re: So Android DOESN'T have an Apple Pay equivalen (Score:2)
Welcome to SIGINT (Score:3)
If you think that some software sandboxing is the equivalent of a "secure enclave" chip in terms of secure-ness, you're sadly mistaken.
If you think that a "secure enclave" is really secure, when its implemented as a SEPARATE CORE ON THE SAME FUCKING SILICON, you really don't believe in SIGINT.
In a world where scientist have been able to guess GPG private key just by analysing signal.
Accoustic signals: Noise.
Over a smartphone's crappy mic.
(Ref [tau.ac.il]).
Do you really think that a "secure" core on the same piece of silicon stands any chance?
Re: (Score:2, Interesting)
Not to say that secure elements are totally and completely secure, but they're more secure than crypto implemented in software (as your link so generously shows). They may both be vulnerable to government agencies, but software elements are vulnerable to casual physical (or remote, possibly) access to the device.
Side channel attacks on secure elements are not at all new. NXP et al actually design these chips with them in mind.
Your argument is comparing apples to oranges: because a gun was able to shoot thro
Re: (Score:2)
In my understanding of the Android docs [android.com] and this blog [blogspot.com], yes it can have one, Google Wallet use the harware secure element on supported devices. Recent Android releases added APIs too, for applications to emulate cards without access to the secure element, pure CPU based implementations, less secure but still an option.
Re: (Score:2)
Re: (Score:2)
Jeez, it's almost like an open software ecosystem can have a lot of variation.
Can you believe that there are droids with no cameras or touchscreens? Some aren't even phones!
Re: (Score:2)
The only people that won't like this are the companies pushing CurrentC and the scammers stealing credit card numbers.
Its a good thing for both Apple and Android users as it will help push the marketplace towards supporting sane and safe and private credit card transactions.
Re: (Score:1)
Not terribly. It's a lot harder to USE stolen banking numbers. You can't just punch the banking numbers into something and withdraw money, you have to have another US banking account... and write fake checks or something with it, which are then held. No the biggest flaw with CurrentC is taking that information and putting it on someone elses identity, and then using that stolen identity to commit fraud.
CurrentC's plan is ripe for identity theft, any solution that involves tracking consumer habits is. If suc
Re:So Android DOESN'T have an Apple Pay equivalent (Score:4, Informative)
Some devices have had a NFC based pay system. SoftCard comes to mind. It uses NFC, and an application on the SIM card, which is harder to attack than just another app on the phone.
Of course, there is the fact that SoftCard requires one to use a specific credit card... but the technology has been in place in a secure manner from the SIM card on up.
I'm just hoping Android's implemention of this is decently secure. CurrenC is waiting in the wings, and if Apple Pay and Android implementations flop, this will be waiting to become the primary payment provider... and it completely bypasses the credit card fraud protections, so if money is stolen... the consumer is stuck with the losses.
Re: (Score:2)
CurrentC has no chance of becoming the primary anything. It uses QR codes for gods sakes... virtually nobody will use it, no matter how much the merchants try to push it. It's already DOA and it hasn't even been officially launched yet.
-Matt
Re: (Score:2)
Why should I care? (Score:4, Funny)
Convenience! (Score:2)
Re: (Score:2)
1st world problems.
Visa in my country has been quick to upgrade their pos terminals for contactless payment. Who needs an iPhone?
Re: (Score:2)
My physical credit card (normal mag stripe) is compromised at least once a year and sometimes more often. I might not be liable for the fraud, but it is VERY inconvenient when it happens, the card gets locked out, plus it also causes my bank to start verifying more of the transactions which is just as inconvenient if I don't answer the text message quick enough and the card gets blocked for no reason.
It got so bad that around 2 years ago I got a second credit card so I could file it with trusted sites like
Re: (Score:2)
You're still paying for the fraud (Score:3)
Re: (Score:2)
At least my credit card doesn't run out of juice after 1-2 days in my pocket.
Give it to your wife. She can make that happen. [rimshot]
*yawn* (Score:2)
NFC alone isn't enough (Score:3, Informative)
You need NFC (which many Android devices have had for years)... but you also need an actual secure chip (not a software emulation or intermediary), and the ability to initiate payment without having to turn on the phone or type in a security code (i.e. a fingerprint reader), and you have to be able to do it with the phone locked and turned off (meaning you need low power hardware to detect the NFC and wake the phone up). And then you need the OS integration to make it all work together seemlessly. And it has to not leak information to anyone except your bank which obviously needs to have the information anyway... and there is no smart phone app on the market other than ApplePay which can make that guarantee. Certainly not Google Wallet. Or CurrentC. Or anything else. And it's better than chip-and-pin and tap-to-pay which both have physical security issues (though they are much better than mag stripe).
Android is missing too many pieces and it will be at least 1-2 years before it has them all. And even then there will be such a huge percentage of *new* android phones that won't have all the pieces that it will only create mass confusion for the general consumer.
The reason Google Wallet has been a failure to-date is that it (and all other smartphone-based payment systems except ApplePay) is simply not convenient to use compared to swiping a credit card. The reason ApplePay became the #1 smartphone payment mechanism overnight is because it's utterly trivial and convenient to use.
It took me exactly 3 seconds at the local Whole Foods to pull out my phone, tap it with my finger on the finger print reader, and put it back in my pocket. It takes me about as long to swipe my card if I don't have to sign, but half the time I do have to sign so ApplePay immediately wins because I never have to sign (at least not so far).
Eventually all smart phones will do it the Apple way. For now, though, and for the next 1-2 years at a minimum, Apple is the only smartphone game in town that actually works well. Chip-and-pin and tap-to-pay cards work almost as well... they can even be more convenient in some situations, but they don't cover all the security bases.
-Matt
Re:NFC alone isn't enough (Score:4, Interesting)
The reason Google Wallet has been a failure to-date is that it (and all other smartphone-based payment systems except ApplePay) is simply not convenient to use compared to swiping a credit card.
Bullshit. There is virtually no difference in the operation of either system except one has a fingerprint reader.
The reason ApplePay became the #1 smartphone payment mechanism overnight is because it's utterly trivial and convenient to use.
More bullshit. The reason ApplePay became the #1 mechanism overnight is because Apple leveraged their marketing and the media around it. Google hasn't ever done the same. In fact, it would be easy to be oblivious to the fact that Google Wallet even exists - it's almost as if Google doesn't give a crap in terms of marketing it (who knows why..)
It took me exactly 3 seconds at the local Whole Foods to pull out my phone, tap it with my finger on the finger print reader, and put it back in my pocket.
It takes me no more time to use Google Wallet.
Re: (Score:2)
Virtually no difference isn't good enough. Convenience is king as had been proven again and again and again.
Also there is no way in hell that I would hand over my purchasing data to an advertising company. That's the big difference from my point of view
Re: (Score:2)
One thing that's not bullshit: ApplePay is far more secure.
Re: (Score:2)
The reason Google Wallet has been a failure to-date is that it (and all other smartphone-based payment systems except ApplePay) is simply not convenient to use compared to swiping a credit card. The reason ApplePay became the #1 smartphone payment mechanism overnight is because it's utterly trivial and convenient to use.
Really? That's the reason? I would have gone with lack of advertising, lack of international support, not being a default in devices including the Nexus series itself, and brutal lock-down of people who hack their way into getting it working in other countries.
But difficulty? You haven't used it have you?
The only thing remotely difficult or time consuming was setting it up, and then only because I had to fake the fact that I wasn't in the USA because it isn't supported. For the most part Google Wallet has w
Re: (Score:2)
But difficulty? You haven't used it have you?
The person you replied to didn't say it was difficult; he said it wasn't convenient: "it ... is simply not convenient to use compared to swiping a credit card." And it's not. You have to wake up your phone, unlock it, and then enter the Google Wallet PIN. With Apple Pay, you just have to hold the phone with your thumb at the correct location; the phone display doesn't need to be turned on first, and the fingerprint reader takes the place of the unlock and PIN entry.
I've tried Google Wallet a few times for t
I have to say (Score:2)
It made me smile
Re: (Score:1)
Just like I did years ago when I saw a Google wallet icon on it.
Apple is that douchebag who shows up late for a party that everyone else is at and proclaims "*now* the party can start!"
NFC Bitcoin Checkout is more secure (Score:3)
http://blog.bitpay.com/2014/11/04/bitcoin-checkout-one-tap-mobile-bitcoin-payments.html
Yes, I understand the downsides of fewer merchant acceptance but there are plenty of upsides as well for everyone.
Orders can be priced in 150+ currencies, and past payment information is only a few taps away.
We’re now rolling out the app to every mobile market worldwide, in the 40 languages spoken by 99.99% of the world’s population.