Pay-by-bonk? YEP, it's an Apple patent now... Apple has filed a patent which defines how iPhones can make secure payments using a combination of NFC and a separate data connection – and it could lead to a new payments system for iTunes. The patent describes a number of transaction models where NFC is used to make an initial connection between the phone and a merchant's …
In 20 years there will be an agreed world standard, until then ideas will come and go, systems will appear and disappear until one main player is left. All the banks will then subscribe to the model payment system until it is hacked and all the money in the world is wiped out.
Bartering will then become the norm, ten peas for a tomato perhaps?
By Samsung with the NFC share thingy?
It's a bit rich for apple to patent an NFC thingy that's been done elsewhere when they don't even 'do' NFC, albeit the process might not be sharing a pitcure, it's obviously trigging a data-related action.
Though it is apple after all
Lawyers everywhere will be putting the bunting out, doubtless.
Bump to initiate has been used by Samsung (S-Beam?) to transfer picture and relatively small files. NFC to initiate, but the transfer takes place over an ad hoc wifi network. Android has 'Android Beam' which does the same thing. I remember seeing it on a Samsung phone first so I'm giving them the credit...but it's not an original idea.
What problem does this solve.
Here in the US, I can tap my android phone momentarily against the POS terminal. That's all it takes for the transaction, as the terminal just needs to get the card number from my phone. It then processes it over a second (secure unless you're in Target) data network with the bank's merchant provider.
It's not like I need to keep my phone against the terminal for the duration of the transaction.
Fixed telco infrastructure not needed - haven't you been in stores and restaurants that use mobile card readers that directly attach to mobile networks?
From what I can see the Apple patent effectively makes them a player in the mobile PayPal marketplace, ie. they effectively become a card issuer and like PayPal able to set their own commission rates to merchants for accepting their payments.
As well as advanced tap to pay gadgets in the US I note that your standard card payment systems now have a signature digitiser pen 'n' tablet these days.
Imagine my horror on being presented a tablet to sign on spending around $400. Most of the rest of the world I have visited have these things called PINs and we don't write them on the card. Admittedly they are open to abuse: silly PINs like repeated digits but they are not actually written on the card for all to see.
I haven't signed the back of a card in years - why would I?
Luckily the child behind the counter didn't actually check my card anyway and instead took the opportunity to congratulate me on my command of English - me being a foreigner - which must have been good enough to be impressive.
I didn't have the heart to explain that my nationality is nominally called English after my country of birth: England - one of the bits of the rather complicated UK of GB n NI agglomeration. I was simply glad to escape with my legitimate purchases having bypassed a security system that made me really want to cry.
You see: My job has a rather major IT Security component.
Cheers
Jon
First off, I've been writing software for 30 years. While I've studied a lot about security methods and encryption, I would never consider myself an expert. I would consider myself "suitably skilled in the art."
It makes more sense to me to use a NFC connection to have the two devices identify each other. The user verifies on their device where they are (Joe's Coffee Shack on W. 3rd St). Your device then contacts the payment servers over the data network (or text message in a pinch) as does their device. Both devices have created a shared secret that they have each encrypted with their own key. Payment server verifies with each public key that it has that the secret agrees as does the charge amount. User's device is contacted again and once the user verifies the transaction it goes through and the merchant's system is notified.
Protecting the payment system from the app path is ludicrous. If it is run in the same system as the OS and the app environment, it is not safe and cannot be made so. Instead make it harder by doing essentially the same thing as the baseband modem (but don't even think of running it there or as a uJava app on the SIM because they are insecure as hell). Instead you place a 3rd independent ASIC that is the payment processor. It would only communicate over specific and protected channels with the OS and the baseband modem. That again would be impossible to make 100% secure, but it would definitely raise the difficulty level significantly.
The other point that is insane is to trust their Bluetooth or WiFi as the second channel. Can we please move to making banking more secure, not less?
And as for obvious. The above scenario is me thinking about how I would design a secure payment system for roughly 2 minutes after only reading the first two paragraphs in the article and not looking at the patent. Please don't nit-pick it because I know I've probably missed things here and there. So with that in mind back to the article.
SIM card?!? Are you ****ing kidding me. Secure? Not hardly. That was pretty well dispelled at DefCon 21.
Now to the patent. Ah, sure. I knew no one would specify Bluetooth or WiFi in a patent. You don't fence off things with specificity anymore. You fence off the whole continent as in "a second air interface different from the first air interface includes identifying an air interface having properties more desirable than the first air interface for communication of data to a user over a time period longer than the time used to establish the first secure link."
Shared secret, check. Not sure that I agree with the shared secret being the encryption key. Maybe if each device signed the message first with their own key before encrypting with the shared secret. That sounds like they really mean Diffie-Hellman and that means you end up with a key weaker than the keys used to create it. Again, we don't know the real implementation. This is modern patent law so be as broad and cryptic as you can.
I'm sure within 5 years we'll hear about this patent being granted. Pretty well shouldn't as it is overly broad and obvious. They really haven't added anything new to the game.
As for my idea. I would never implement it myself. I'd definitely want a team of experts in security to go over it and improve it. As well as have the code and any hardware peer reviewed. That would never happen. Once the big players get involved everything gets watered down and made easier and you get the least common denominator solution. Fraud is considered just a cost of business to the banks, they charge it back to the customers however they can.
I never get tired watching DefCon or C3 presentations where developers or engineers have decided to role their own security or encryption solution. They're hysterical.
"which is exactly what the mobile phone operators - who are looking for a share of transaction revenue - fear will happen."
This is something that may use a small element of a mobile phone and the networks think they deserve a share of all revenue. Why am I not surprised? Oh but it uses their data network perhaps for a few seconds and that costs them money... which you've already paid for with your monthly fees / PAYG allowance.
Am I the only one tired of network operators trying to expand their greed by any means necessary? First they rip everyone off with the extortionate price of text messages and when those start to be bundled in the thousands they move on to charging extortionate rates for data. When that fails they'll use something else but in the meantime anything that mentions "mobile phone" (or cell phone if you prefer) and "money" in the same sentence has them looking feverishly on with ideas of how they can grab a slice of something for doing nothing. Or in this case a slice for trying to force their preferred way which guarantees them income for doing nothing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
