Feeds

back to article Pay-by-bonk? YEP, it's an Apple patent now...

Apple has filed a patent which defines how iPhones can make secure payments using a combination of NFC and a separate data connection – and it could lead to a new payments system for iTunes. The patent describes a number of transaction models where NFC is used to make an initial connection between the phone and a merchant's …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Using the bump to initiate a process on the device seems obvious to me.

8
1
Anonymous Coward

In 20 years there will be an agreed world standard, until then ideas will come and go, systems will appear and disappear until one main player is left. All the banks will then subscribe to the model payment system until it is hacked and all the money in the world is wiped out.

Bartering will then become the norm, ten peas for a tomato perhaps?

0
4
g e
Silver badge

Surely this was already done

By Samsung with the NFC share thingy?

It's a bit rich for apple to patent an NFC thingy that's been done elsewhere when they don't even 'do' NFC, albeit the process might not be sharing a pitcure, it's obviously trigging a data-related action.

Though it is apple after all

Lawyers everywhere will be putting the bunting out, doubtless.

13
0

Because it is

Bump to initiate has been used by Samsung (S-Beam?) to transfer picture and relatively small files. NFC to initiate, but the transfer takes place over an ad hoc wifi network. Android has 'Android Beam' which does the same thing. I remember seeing it on a Samsung phone first so I'm giving them the credit...but it's not an original idea.

5
0

It's not even original.....

1974 - http://www.youtube.com/watch?v=vAfthQTqj24

0
0

???

This will be slower than current systems, mobile data is notoriously slow in most shopping centres and malls in the UK.

5
0
Joke

secure wireless connection

"essential financial data is sent over a second, secure wireless connection with greater range"

I see this ending well.

11
0
Silver badge

Re: secure wireless connection

Financial data sent over a secure wireless network?

Newsflash: People do that every day, from making Amazon purchases to using a 'chip and pin;' card to get a pint and £20 cash-back in the local pub.

1
0
Silver badge

I guess this comes down to whether you trust the retailer's NFC set-up or their WiFi more. Which one is going to be easier to compromise or eavesdrop?

1
0

What does this solve?

What problem does this solve.

Here in the US, I can tap my android phone momentarily against the POS terminal. That's all it takes for the transaction, as the terminal just needs to get the card number from my phone. It then processes it over a second (secure unless you're in Target) data network with the bank's merchant provider.

It's not like I need to keep my phone against the terminal for the duration of the transaction.

6
0
Anonymous Coward

Re: What does this solve?

It solves the problem of Apple not getting 30% of everything you buy with one of their iShite devices, you know, that thing you are paying them to carry around and track you.

31
1
Anonymous Coward

Re: What does this solve?

Payments at other sites which may not have any fixed telco infrastructure, such as a market stall?

0
0
Silver badge

Re: What does this solve?

you know, that thing you are paying them to carry around and track you.

Shut up, you. Only Google does that. Sez Microsoft and Apple.

You should really "get the facts".

7
0
Bronze badge

Re: What does this solve?

Fixed telco infrastructure not needed - haven't you been in stores and restaurants that use mobile card readers that directly attach to mobile networks?

From what I can see the Apple patent effectively makes them a player in the mobile PayPal marketplace, ie. they effectively become a card issuer and like PayPal able to set their own commission rates to merchants for accepting their payments.

1
0
Bronze badge

Re: What does this solve?

As well as advanced tap to pay gadgets in the US I note that your standard card payment systems now have a signature digitiser pen 'n' tablet these days.

Imagine my horror on being presented a tablet to sign on spending around $400. Most of the rest of the world I have visited have these things called PINs and we don't write them on the card. Admittedly they are open to abuse: silly PINs like repeated digits but they are not actually written on the card for all to see.

I haven't signed the back of a card in years - why would I?

Luckily the child behind the counter didn't actually check my card anyway and instead took the opportunity to congratulate me on my command of English - me being a foreigner - which must have been good enough to be impressive.

I didn't have the heart to explain that my nationality is nominally called English after my country of birth: England - one of the bits of the rather complicated UK of GB n NI agglomeration. I was simply glad to escape with my legitimate purchases having bypassed a security system that made me really want to cry.

You see: My job has a rather major IT Security component.

Cheers

Jon

5
0

First off, I've been writing software for 30 years. While I've studied a lot about security methods and encryption, I would never consider myself an expert. I would consider myself "suitably skilled in the art."

It makes more sense to me to use a NFC connection to have the two devices identify each other. The user verifies on their device where they are (Joe's Coffee Shack on W. 3rd St). Your device then contacts the payment servers over the data network (or text message in a pinch) as does their device. Both devices have created a shared secret that they have each encrypted with their own key. Payment server verifies with each public key that it has that the secret agrees as does the charge amount. User's device is contacted again and once the user verifies the transaction it goes through and the merchant's system is notified.

Protecting the payment system from the app path is ludicrous. If it is run in the same system as the OS and the app environment, it is not safe and cannot be made so. Instead make it harder by doing essentially the same thing as the baseband modem (but don't even think of running it there or as a uJava app on the SIM because they are insecure as hell). Instead you place a 3rd independent ASIC that is the payment processor. It would only communicate over specific and protected channels with the OS and the baseband modem. That again would be impossible to make 100% secure, but it would definitely raise the difficulty level significantly.

The other point that is insane is to trust their Bluetooth or WiFi as the second channel. Can we please move to making banking more secure, not less?

And as for obvious. The above scenario is me thinking about how I would design a secure payment system for roughly 2 minutes after only reading the first two paragraphs in the article and not looking at the patent. Please don't nit-pick it because I know I've probably missed things here and there. So with that in mind back to the article.

SIM card?!? Are you ****ing kidding me. Secure? Not hardly. That was pretty well dispelled at DefCon 21.

Now to the patent. Ah, sure. I knew no one would specify Bluetooth or WiFi in a patent. You don't fence off things with specificity anymore. You fence off the whole continent as in "a second air interface different from the first air interface includes identifying an air interface having properties more desirable than the first air interface for communication of data to a user over a time period longer than the time used to establish the first secure link."

Shared secret, check. Not sure that I agree with the shared secret being the encryption key. Maybe if each device signed the message first with their own key before encrypting with the shared secret. That sounds like they really mean Diffie-Hellman and that means you end up with a key weaker than the keys used to create it. Again, we don't know the real implementation. This is modern patent law so be as broad and cryptic as you can.

I'm sure within 5 years we'll hear about this patent being granted. Pretty well shouldn't as it is overly broad and obvious. They really haven't added anything new to the game.

As for my idea. I would never implement it myself. I'd definitely want a team of experts in security to go over it and improve it. As well as have the code and any hardware peer reviewed. That would never happen. Once the big players get involved everything gets watered down and made easier and you get the least common denominator solution. Fraud is considered just a cost of business to the banks, they charge it back to the customers however they can.

I never get tired watching DefCon or C3 presentations where developers or engineers have decided to role their own security or encryption solution. They're hysterical.

6
1
Bronze badge

Network redundancy and protocols, etc...

How is this any different from exploiting various networkmtopologies to connect devices to various networks to achieve data transfer?

0
0
Bronze badge
Facepalm

Apple's definition of "invention"

1. Copy existing technology

2. Flip a couple of bits

3. "Invention"!

Although I suppose the root of the problem is that's also the USPTO's definition.

19
1
Bronze badge

Re: Apple's definition of "invention"

Let no-one's work evade your eyes.... so plagiarise, plagiarise, plagiarise- but be sure to call it "Research"

7
0
Pint

Re: Apple's definition of "invention"

Originality is the art of concealing your source.

Uhhh... yeah, I just made that up! Yeah, That's the ticket! (sorry, Jon Lovitz).

1
0
Anonymous Coward

Re: Apple's definition of "invention"

I thought the USPTO's definition was "whatever US companies say goes, especially fruitco, regardless of prior art elsewhere in the world"

2
0
Bronze badge

Re: Apple's definition of "invention"

Only in America!

1
0
Bronze badge

Go to hell mobile networks

"which is exactly what the mobile phone operators - who are looking for a share of transaction revenue - fear will happen."

This is something that may use a small element of a mobile phone and the networks think they deserve a share of all revenue. Why am I not surprised? Oh but it uses their data network perhaps for a few seconds and that costs them money... which you've already paid for with your monthly fees / PAYG allowance.

Am I the only one tired of network operators trying to expand their greed by any means necessary? First they rip everyone off with the extortionate price of text messages and when those start to be bundled in the thousands they move on to charging extortionate rates for data. When that fails they'll use something else but in the meantime anything that mentions "mobile phone" (or cell phone if you prefer) and "money" in the same sentence has them looking feverishly on with ideas of how they can grab a slice of something for doing nothing. Or in this case a slice for trying to force their preferred way which guarantees them income for doing nothing.

2
0

Oh boy

Another fine RetroInnovation* from Apple!

*A future Apple trademark, used with permission

6
0
Silver badge
Alien

"air interface"

So this patent won't apply in, say, vacuum? Or underwater?

(Feverishly starts planning the world's first orbiting supermarket...)

4
0
This topic is closed for new posts.