back to article Farewell, Android Pay. We hardly tapped you

“Android Pay” is no more, as Google attempts to unify its disparate transaction options under one brand. The redesigned, rebranded Google Pay app – which supersedes Android Pay – is already in the Google Play Store. Google has folded some of the functionality from its wallet app (creatively named, er, Google Wallet) into its …

Page:

  1. Anonymous Coward
    Anonymous Coward

    Another solution looking for a problem. And given the security on smart-phones I don't think I'll even give it a go as a gimmick.

    1. Anonymous Coward
      Anonymous Coward

      It's not surprising that Samsung Pay hasn't gained traction, given how appalling they are at updating their phones.

    2. low_resolution_foxxes

      lol

      Given that chip and pin has been essentially hacked by at least 2 separate live methods in the field ( https://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pin-card-hack/ ) I find it amusing when I read that a banks method is more secure than a technology companies.

      In the longterm, people tend to like technology companies and hate banks. Large technology companies should be able to design features that allow basic banking features (direct debit, transfer, etc.) with integrated secure/biomarker security. We'll see how this plays out

      1. F0rdPrefect

        low_resolution_foxxes

        From the article youl ink to

        "The ENS and CEA forensic researchers note that the vulnerabilities used by the French fraud they analyzed have since been fixed"

        And only the one method is mentioned in the article.

        As for "large technology companies" do you trust them more than the banks?

        1. JohnFen Silver badge

          "As for "large technology companies" do you trust them more than the banks?"

          Personally, I trust them far less than I trust banks. This is for two reasons -- first, large technology companies frequently demonstrate that they aren't very trustworthy, and second -- there is a large body of law and several government agencies that exist to make sure that banks don't get too far out of line and, if they do, will mitigate the damage to people. Technology companies have none of that.

      2. PaymentGuy

        As it says, that's a long-known theoretical vulnerability, and one that

        a) is not possible on certain cards where the result of PIN entry is cryptographically signed

        b) is not applicable to contactless at all, since the card is not asked to verify the PIN

    3. Dr Mantis Toboggan
      FAIL

      Not a gimmick and vastly more secure than that debit/credit card in your wallet.

      Google Pay (Android Pay) uses a generated 1 time card number that is matched to your real card details by the payment processing company (Visa/Mastercard) and then discarded.

      If I lose my phone, I can remote wipe it, Can I do this same thing when I discover my credit/debit card missing? Your plastic card is however ripe for skimming.

      It's therefore no surprise that banks limit card tap and pay transactions to £30, but don't impose that limit for GooglePlay tap and pay transactions (as long as you have some form of password/pin/fingerprint lock screen)... Go figure...

      Good luck Luddite. I wish you all the best,. Don't forget the tinfoil hat.

      1. Cuddles Silver badge

        "vastly more secure than that debit/credit card in your wallet"

        To an extent. More accurately, payments using phone NFC are vastly more secure than cards during the transaction, mainly due to the use of one-time tokens preventing any possibility of cloning or really copying anything relevant at all. However, it's really quite difficult to hack or install malware on a credit card, so in some ways they're still significantly more secure. Overall, phones probably win; I'm not aware of any malware that actually does steal money by faking phone payment transactions (although it would be foolish to assume such a thing will never happen), while card fraud is all too common.

        "If I lose my phone, I can remote wipe it, Can I do this same thing when I discover my credit/debit card missing?"

        Yes, very easily. Significantly more easily than with many phones - most people probably haven't even set up such a facility on Android (I think it's there by default with Apple). Once you've notified your bank that your card is missing any liability for fraudulent use falls on them, so they're very good at dealing with such reports.

        1. PaymentGuy

          "More accurately, payments using phone NFC are vastly more secure than cards during the transaction, mainly due to the use of one-time tokens preventing any possibility of cloning or really copying anything relevant at all."

          Exactly the same mechanism is used in a card. The difference is that the card number from a plastic card can generally also be used outside the phone (internet, MOTO) whereas that from a phone cannot. But the number itself is the same from transaction to transaction - it's the cryptogram, not the card number, that is tied to an individual transaction.

          "Once you've notified your bank that your card is missing any liability for fraudulent use falls on them, so they're very good at dealing with such reports."

          And the same with the phone, if you tell your bank it's missing.

      2. enormous c word
        Mushroom

        Contactless is the banks solution to fraud and reimbursement to victims of fraud. But not in the way you may think. The banks limit contactless to £30 to encourage you to use your card instead of cash for many-many small payments - each of which they shave off a micro-fee - the number of transactions are far too many for the typical user to be able to identify when they get their statement - so any fraud goes unnoticed or is of too little value to bother pursuing. The bank still gets their micro-fee regardless of whether its legit or fraudulent transaction.

        1. PaymentGuy

          Nonsense! The £30 limit is there because there's no cardholder verification (PIN) below that point; this is why it can go higher than £30 on mobile. It is perfectly possible (and is the case in many places around the world) to do low-value contact transactions without PIN or other verification.

          And if it's a fraudulent transaction, the interchange the issuer gets is by far outweighed by the fees involved in processing chargebacks and refunds.

        2. The Specialist

          >the number of transactions are far too many for the typical user to be able to identify when they get their statement.

          I do not know your definition of "typical user" but I get notifications whenever there is a charge to my card - be it via web, contactless (card / phone) or via entering the pin. I use my card for almost everything.

      3. PaymentGuy

        "Google Pay (Android Pay) uses a generated 1 time card number that is matched to your real card details by the payment processing company (Visa/Mastercard) and then discarded."

        This is incorrect.

  2. Anonymous Coward
    Anonymous Coward

    I used Android Pay when it came out for a bit as a novelty. But it doesn't support my MBNA Amex card - which earns freq flyer miles 3x faster than it's Visa cousin (which does work with Android pay).

    Most shops accept Amex these days, so funnily enough Android Pay doesn't get anywhere near as much use as it would do if it supported my Amex card...

    And as for Samsung Pay, why the hell would I want to use magnetic payment? No thanks... Even most shops in the US now accept either contactless or chip...

    1. wyatt

      Amex is a pain for small businesses. My wife stopped accepting it as they were a month slower to pay than Visa. They also charged more to process payments.

      1. Anonymous Coward
        Anonymous Coward

        "Amex is a pain for small businesses. "

        boo-fucking-hoo

    2. Chloe Cresswell

      Weirdly, the cards I have on my android/google pay account are my Amex and MBNA mastercard. Barclays isn't supported, so that's my debit cards out of the window..

    3. Anonymous Coward
      Anonymous Coward

      “I used Android Pay when it came out for a bit as a novelty. But it doesn't support my MBNA Amex card - which earns freq flyer miles 3x faster than it's Visa cousin (which does work with Android pay).”

      Be aware that your MBNA Amex card may not be long for this world. For a change, it is actually something we can honestly blame Europe for (as opposed to the tissue of Brexitard lies).

      “Barclays isn't supported, so that's my debit cards out of the window..”

      Barclays have their own Android payment app. Bloody minded bastards.

      1. Tim99 Silver badge
        Trollface

        Barclays have their own Android payment app. Bloody minded bastards. My Barclays VISA debit card is loaded into my iPhone wallet (ducks). No, that is not an endorsement of them - Generally they are bloody minded bastards.

        1. PaymentGuy

          Yes - it's just that Apple are bloodier-minded and there's currently (if ever) no other way for Barclays to get their cards on Apple devices.

      2. davidp231

        "Barclays have their own Android payment app. Bloody minded bastards."

        And if it detects something like 'su' then it will deem your phone is rooted (even if it isn't - for example the Android layer on Jolla devices). Renaming it persuades it to run fine.

    4. Anonymous Coward
      Anonymous Coward

      Most shops accept Amex these days,

      No they don't.

      1. Lindsay T

        Re: Most shops accept Amex these days,

        Even found a filling station recently in Lockerbie that refused American Express although that is pretty rare. There's a other half way up the A9 though.

    5. Anonymous Coward
      Anonymous Coward

      "Most shops accept Amex these days,"

      "Most large shops accept Amex these days,"

      Processing fees are extortionate for most smaller businesses tat can't afford to take the hit.

    6. Lee Taylor

      The lack of MBNA Amex is an ommision. Poundland and now Aldi take no accept Amex so no excuse to miss out miles even on the smallest transaction.

      1. Jason Hindle Bronze badge

        "The lack of MBNA Amex is an ommision. Poundland and now Aldi take no accept Amex so no excuse to miss out miles even on the smallest transaction."

        Poundland too? That is good news. My Visa card has been seeing a lot less action since Aldi started taking Amex (normal Amex issued charge card, so works perfectly with Android/Google/Whatever Pay).

    7. PaymentGuy

      Rather, it's MBNA who don't support Android Pay. Amex's supports their own cards in Apple, Android, and Samsung - as well as their own Android app (and probably others). You can actually have the same Amex card three times on a Samsung device if you load it in all three apps.

    8. Oh Homer Silver badge
      Windows

      Re: "Most shops accept Amex these days"

      Not around here. Most places I've encountered shun Amex, due to its extortionate charges. In fact I've seen far more places that take both Apple and Android Pay than Amex.

    9. admiraljkb

      "And as for Samsung Pay, why the hell would I want to use magnetic payment? No thanks... Even most shops in the US now accept either contactless or chip..."

      In the US - Home Depot, Lowes, and most gas stations are still swipe unfortunately along with many others. Lots of shops with chip readers still not enabled even when they have them. In this current interim period - Samsung Pay is a nice way to secure the card from a skimmer since what's transmitted to the magstripe reader isn't usable a second time..

      1. JohnFen Silver badge

        "Lots of shops with chip readers still not enabled even when they have them."

        And when they do have them enabled, they tend to be very, very slow. Much slower than paying with cash or using the old swipe system.

    10. Anonymous Coward
      Anonymous Coward

      "And as for Samsung Pay, why the hell would I want to use magnetic payment? No thanks... Even most shops in the US now accept either contactless or chip..."

      Quite - it's quite a clever technology, but ultimately useless in the UK, which has so far refused to allow it (as we've moved away from swiping cards - or at least require a signature to go with it)

  3. Pen-y-gors Silver badge

    What could possibly...?

    I think I prefer to stick to handling my own money, thanks.

    Physical debit card for debits

    Separate credit card with very limited spending limit for online transactions (but prefer Paypal)

    Paypal only from one computer, requires password every time, and uses 2FA

    No other credit cards

    Bank transfers online - one computer only

    Cheques (rarely)

    Cash

    And I'm sure some toerag will still manage to relieve me of my dosh one day - but I'm not going to make it easier for them with Google Pay!

    1. Lee D Silver badge

      Re: What could possibly...?

      Keep your debit card in an RFID blocking wallet or sleeve.

      I like to demo to people the "Credit Card Reader" app which can pull off their card number and expiry date by just tapping an NFC phone against their card (or, in theory, from across the room) without them even knowing.

      Sure, it's not every detail and not the same as performing a proper doink transcation, but it's enough. But put it in a sleeve / wallet with foil insert and you can't read the card at all.

      The other app I like is "Passport Image Decoder". Worrying that such access is available passively without your knowledge, even if the most vital data is encrypted

      1. Test Man

        Re: What could possibly...?

        So... the same detail as what's already embossed on the card then? Similar story with cheques - it's really a non-issue for 99% of user cases.

        1. PaymentGuy

          Re: What could possibly...?

          Less detail, in fact, since the only place the CVV appears is on the back of the card (unless you're Amex of course)

      2. Anonymous Coward
        Anonymous Coward

        Re: What could possibly...?

        The other app I like is "Passport Image Decoder". Worrying that such access is available passively without your knowledge,

        Yes, I keep a paper bag over my head at all times to ensure people can't skim my likeness as they pass.

        1. Wayland Bronze badge

          Re: What could possibly...?

          "Yes, I keep a paper bag over my head at all times to ensure people can't skim my likeness as they pass."

          Which is the problem with biometrics. If your face is your password it's hard to change your password. As for fingerprints, you leave copies of your password on everything you touch.

      3. Mookster

        Re: What could possibly...?

        Mmmm you have to scan the MRZ to read a passport. The, for the UK one, you can read everything (there's no fingerprints). For others, with fingerprints, you need your own keys to get access.

      4. paulf Silver badge
        Go

        Re: What could possibly...?

        @Lee D, "Keep your debit card in an RFID blocking wallet or sleeve."

        Or just ask your card issuer for a non-contactless card. I'm not a tin foil hat type, but I wanted non-contactless versions of my credit and debit cards. I asked my card issuers and they happily sent out non-contactless replacements for the pay by bonk cards they normally send.

        1. bondyboy

          Re: What could possibly...?

          Depends on the provider, Nationwide told me they didn't have a non contactless version, a snip of the card in the right place breaks the circuit though

          This was after 2 of my cards had been compromised, I usually carry 4 cards in my wallet, 2 contactless and 2 not - the 2 contactless ones were the ones compromised

        2. PaymentGuy

          Re: What could possibly...?

          They're only obliged to do this for debit cards.

        3. JimboSmith Silver badge

          Re: What could possibly...?

          Yes that's what I did too and they were happy to do so. No tinfoil hat here but practicality using an Oyster Travelcard trumped contactless. This morning I watched someone try to pay with contactless on their phone but it wasn't working. They didn't have any other means of payment and that caused problems for them and everyone else waiting to pay. It wouldn't have been so bad but for the refusal to accept their phone wasn't working to pay.

      5. PaymentGuy

        Re: What could possibly...?

        It's enough for what, exactly? What do you think you can *actually* do with those details?

      6. Rolly_Poly

        Re: What could possibly...?

        @Lee D

        https://www.csoonline.com/article/3199009/security/why-you-dont-need-an-rfid-blocking-wallet.html

    2. Blotto
      Facepalm

      Re: What could possibly...?

      @ Pen-y-gors

      do you wear your tinfoil hat when doing your transactions from the 1 pc too?

      don't you think your going a little to far with the precautions especially when millions of others are happily doing online transactions without your precautions and aren'y getting done over?

      my debit card got skimmed from a London cashpoint one night, its not stopped me using cashpoints, contactless cards, apple pay and online transactions has stopped me using cashpoints though!!!

      1. sisk Silver badge

        Re: What could possibly...?

        don't you think your going a little to far with the precautions especially when millions of others are happily doing online transactions without your precautions and aren'y getting done over?

        Given the number of people who are victims of identity theft or have their payment details stolen I'd say Pen-y-gors has a pretty reasonable level of paranoia there. I'm pretty close to the same level myself. I've got one debit card which only has money on it for a few hours after I get paid (and that only because my paycheck gets direct deposited onto it) and just before I buy anything online. And I'm seriously considering getting a different one for online transactions. I use cash for everything I can use cash for and any extra money is sitting in a savings account where I have to walk into a bank and show ID to access it.

        1. Orv Silver badge

          Re: What could possibly...?

          To me identity theft and payment details are very different things.

          Identity theft is serious because they can create new accounts I don't know about, and that's hard to resolve. Account numbers, likewise, I try to guard a bit (because you can do a bank draft with them.)

          But credit card numbers? I long ago stopped freaking out about those. If my number gets stolen I flag the transaction, the bank refunds it, and they send me a new card with a different number. It's a minor hassle. The threat model doesn't usually involve anything PC-related, either; around here it's mostly skimmers on card-enabled gas pumps.

          1. sisk Silver badge

            Re: What could possibly...?

            But credit card numbers? I long ago stopped freaking out about those. If my number gets stolen I flag the transaction, the bank refunds it, and they send me a new card with a different number. It's a minor hassle.

            It's a much bigger problem for folks who live paycheck to paycheck. I know a guy who's absolutely horrible at managing his money and is generally broke a few days after his payday despite having a decent paying job. Someone got his debit card details and cleaned out his account. As you said, not a big deal because the bank refunded it, but in the meantime he went 2 weeks without money to buy fuel and food. He lost more than a few pounds those couple weeks.

            Also, the last time my credit card details were stolen it was through the Target hack. I always check for skimmers on the gas pumps - in case you haven't figured it out already, I'm a bit on the paranoid side - and I've turned a couple of them over to the police. To my knowledge I've never fallen victim to one, though they've gotten good enough lately that they're net easy to spot even if you know what to look for.

            1. PaymentGuy

              Re: What could possibly...?

              So the sooner we can ditch mag stripe, the better.

            2. Orv Silver badge

              Re: What could possibly...?

              I always check for skimmers on the gas pumps - in case you haven't figured it out already, I'm a bit on the paranoid side - and I've turned a couple of them over to the police.

              In the places I've lived the most common place for a skimmer was *inside* the pump, wired to the pump's own mag stripe reader. Thieves would either get the help of an insider at the station, or have duplicate keys to open the access doors.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019