Slashdot Mirror
Sound-Based System Promises Chipless Phone Payment
CWmike writes "While near-field communication gradually emerges to turn mobile phones into payment devices, startup Naratte is introducing a system it claims can do roughly the same thing without adding a chip to the handset. On Monday, Naratte introduced Zoosh, a technology that lets phones exchange transaction information via inaudible sound waves. As with NFC, the phone user would just put the phone near to a point-of-sale terminal to redeem a coupon or make a purchase. NFC provides short-range radio communication between phones and point-of-sale devices so users can just tap or point their phones at the device to make a purchase. NFC uses specialized chips, which are already built into a few phones such as the Google Nexus S sold by Sprint Nextel, and are expected in more handsets in the future. Zoosh involves software that utilizes the speaker and microphone in a handset to send and receive audio signals with another device, similar to the way early modems exchange data by sending tones through the handsets of desk phones cradled in coupler devices. The company has posted a video that shows how it works. Between this and barcodes (which Starbucks says is working well already, thank you very much), is NFC already irrelevant?"
But I bet a microphone could still pick it up..
And, on a side note, this is oddly reminiscent of Phreaking.. Payments with tones and all.. even if they are "inaudible."
vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
They want their accoustic couplers back :)
ACK NAK RST
Where do all these Zoosh enabled POS systems exist? Google is already pushing NFC (with Apple obviously ready to jump in, in the near future), so I'm not sure how an upstart with no ability to penetrate the POS market, can possibly survive. The only negative that Zoosh seems to be fixing is that you don't need the NFC chip, but with a multitude of NFC chips, add in SIM nfc chips, and SD NFC chips, I'm not too sure if it's even a problem anymore.
> NFC uses specialized chips
???
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
Cash is King, baby.
NFC requires specialized chips. This audio-based solution does too, but the summary handwaves it because a tiny handful of phones already has it. I'm not sure about anyone else, but I smell a false premise.
Has NFC already been reduced to a glorified mag-stripe; but with more options for carriers to get their pound of flesh out of the transaction? If so, then yes, a cheaper way of communicating with the POS arguably threatens its relevance.
However, if that deplorable possibility hasn't come to pass, then this seems like only a partial replacement. With NFC, as with the prior RFID stuff, you get the handy option of having passive, antenna-powered tags that can interact with powered devices. You can also have two powered devices talk to each other, some combination depending on the circumstances. With this audio mechanism, and QR codes, and the like, you have the advantage of using hardware that is already there 'for free' because it has other uses; but your versatility is limited: The audio-based system, unless some very clever and likely not cheap piezo/MEMS system were to be hacked together, will only work between two powered devices. QR codes are tolerant of unpowered tags, indeed their tags are cheaper than RFID ones; but you are restricted to dumb tags only. No challenge/response authentication or anything unless two devices with screens and cameras are flashing QR codes at each other as a crude form of two-way communications interface, in which case both of the devices have to be fairly sophisticated and powered.
The most secure transactions you can make is cash out of your wallet. Only person who can take it then is a mugger (or a girlfriend) and at least then I know when it happens and how much is missing. All these alternative payment systems (including debit and credit cards) are ripe for the taking because of the numerous hands and systems that touch the payment information along the way.
I once experimented with the idea of using a high frequency(19khz-22khz) wav forms to transmit 1-30hz pulses into the brain via sound(think subliminal advertising) and found it incredible that most current cell phone mics are very adapt at receiving and playing it back very clearly, so there might be some merit to this idea.
Why don't they just use 2600 Hz so I can pull a whistle out of a box of cereal and make payments? How many chirps are a quarter? This tech company has not learned from AT&T's past mistakes.
My cell phone will listen to your cell phone and get your money and stuff.
One key advantage is that you can use your phone with a free Android app to read and write onto cheap (read+write-many or read+write-once or read-only) HF based HFID tags that cost a few cents and are field powered:
https://market.android.com/details?id=com.nxp.nfc.tagwriter&feature=related_apps
Imagine the possibilities... Product tags, WiFi setup including WPA2 keys for guests, bulletin messaging in areas with poor signals, etc. In addition, the NFC chips being used on these phones have a security crypto chip that is isolated from the main device and can act as a hardware security token capable of full PKI (RSA, ECC, X509v3, CMS, ...), in addition to being used for electronic payment, transit fares, etc. Google Wallet is just one example. But since NFC is compatible with ISO14443, you can also use it with Paypass, Clipper, Suica, Octopus, etc.
How much do you think it costs to embed microphones and audio processing electronics? Not to mention the resources needed to support this including external power, and potential problems in noisy environments.
There was a time when the cost of a long distance call was exorbitant. Fortunately the phone company ran validation over the same lines of communication, and it was possible to reverse engineer the tones ATT used to get free long distance. The lesson learned is that if the user has access to the validation channel, and the validating code is simple and unencrypted, then it will be hacked and abused. Given the limitations of the cell phone microphone and the network, I would wonder how complex the tone could be, and how easy it would be to hack to steal product or money.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
I can just see Michael Winslow http://en.wikipedia.org/wiki/Michael_Winslow rubbing his hands together with glee.
. .
i got my capt'n crunch whistle ready!
How much do you think it costs to embed microphones and audio processing electronics? Not to mention the resources needed to support this including external power, and potential problems in noisy environments.
I'd guess the microphone + audio processing electronics will come to less than $1, and they will only be necessary where payments are being accepted - I think a better question is how much the NFC chips will cost in every phone. Noisy environments are likely going to still work because the data transmitted can be relatively little (a few K in a few seconds is probably enough). You have a good point about product tags / etc. but I'm not convinced that we need more than the barcode.
Right now, I have an AMEX in my wallet. It's the best. Unlike my six other credit cards, my AMEX has no chip, no PIN, and no magic. Ok ok, it has a magstripe. The point is that in order to use it, I open my wallet, swipe my card, sign my signature, and walk away. That's great. It's convenient because it takes fewer than 10 seconds, and it's super-secure, because it requires me to take out my wallet, and to use my card within a millimetre of the magstripe reader. And it's super legal too, because my signature is a legal tool that means something, and it's very criminal to forge someone else's signature. Finally, it's super-safe for me, because if anyone, anywhere in the world uses my credit account for any reason in any way, I'm not responsible for the charge. That's perfect.
The reason I don't use my other credit cards is very simple. They suck. The chip can be read from many yards away, through my pocket. So it's not secure. I need to remember a different PIN for each, so it's not convenient. I'm not allowed to use the same PIN for each -- that's against the card agreement, and rightfully so. And here's the worst part. If someone else uses my card, and uses my PIN, it doesn't matter how they got it it, I'm still responsible to pay it. Read your agreement. Ask for it. That's what it says. It says that you are responsible for any purchase made using your PIN. My PIN is not 32 characters long. It's just a handful of digits that anyone could notice, and remember easier than a phone number.
Now, we're talking about using my phone. A device that can break, die, crash, or get lost. Unlike my wallet, my phone moves from my pocket to my hand way more often. It discharges too. So now if my battery dies, I won't be able to buy a new one. Suck on that for a while. How's that for a buried shovel? So it won't be safe. It won't be secure because whatever information is being passed is being passed through the air, and is no more secure than any airwave transmission. And by using ordinary soundwaves, it can be detected by any microphone that ever existed -- including other phones. My credit card can't intercept other credit cards, unless it's covered in cheese when I swipe it. And by the way, jamming is just as bad. So it's not secure in any way.
Not to mention the most annoying part of all. I just refuse to use a modem ever again. I don't want to hear that sound again. I don't want to wonder why my 16800 is connecting at 14400. I don't want to know why no one has ever gotten 56000 ever, with any 56000 modem. And I don't want to have to explain to someone what BAUD means ever again.
I'm done with that shit.
Smartphones already have 3 radios: Phone, Wifi, Bluetooth. Do we really need, or want, a 4th one ?
The Cloud - because you don't care if your apps and data are up in the air.
Mobile handsets are well on their way to becoming general-purpose computing platforms, with all of the security problems that entails. I think we have reason to be hopeful that it won't get as bad as Windows-based PCs are, but the fact is that the security of the handset is never going to be something we can really rely on.
To me, that means that if we want to use them for payment, we need to have a device in the phones which can securely store and use cryptographic keys, and contain and execute software that can be trusted to make appropriate security decisions. NFC is almost* exactly what's required for that, because the NFC chips are smart card chips -- small 8 or 16-bit computers in packages that have been specifically designed for years to resist intrusion. Are they perfect? No, nothing is. But they are the result of a decades-long arms race between attackers and designers, and they really are pretty darned secure. When competent security engineers who accurately understand their security strengths and weaknesses craft solutions and protocols using them, the result is orders of magnitude more secure than the main processor on a mobile handset.
I don't really care whether you use RF or audio or direct electrical connection to facilitate communication between reader and phone, to make it anything like secure you need a secure processor to handle the crypto. So you need the chip, period. But that's okay, because the incremental cost of an NFC chip added to a mobile phone is trivial.
And if you're adding an SE (or even just upgrading the SIM to make it featureful enough to handle the payment ops), the cost of the additional RF hardware needed by NFC is practically irrelevant, so why not do RF? I know Zoosh says this ultrasonic thing works in noisy environments -- but I'm really skeptical that it works in noisy ultrasonic environments. I'm also skeptical about the claimed low cost of merchant terminals, especially given that NFC-capable devices are already being produced in volume.
* The reason for my hedge "almost" is that I/O still has to pass through the main handset. In the case of communications with various back-end servers, whether via NFC or the cellular network or audio or whatever else, that's mostly okay because those back-end servers can have HSMs and do end-to-end security with the SE. "Mostly", because we'll still need the handset to provide the UI for users to authenticate, approve transactions, etc. What would really be awesome is if the phone had a mode where the SE could take control of the UI and cut the main handset OS out of the loop -- and maybe also have an LED on the phone that is hard-wired ONLY to the SE so that when that light is on you know the SE is in control. But there are many, many reasons why that is infeasible with current-generation SEs, and those coming for the next few years. And when it does become possible, the increased level of software complexity will undoubtedly come with exploitable security defects. It's a hard problem.
Still, even without my ideal situation, the result of combining an SE, well-designed protocols and a handset UI/network, etc. will provide a huge increase in security vs current electronic payment systems.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I don't know about that. Sure they've only won 5 of the last 14 Super Bowls, but they've won the last two. I wouldn't write them off just yet.
I think I have an easy solution to this. I'm not an analog expert by any stretch of the imagination, but I did use modems (300 baud modem all the way up to a 56k).
If you could make a cradle where you slide the phone into it, the purchaser's phone would send it's public_key to the purchasing system, which would then send it's public_key back to the purchaser's phone -- encrypted with the purchaser's public_key. Then the purchaser's phone would send the payment information encrypted with the public_key of the purchasing system -- and the acknowledgement of successful transaction would be sent back encrypted with the purchaser's public_key, then one more final "ack" from the purchaser's device to the system saying that it received the transaction confirmation. DONE.
I don't know how much bandwidth is there between the microphone and the speakers, but instead of just relying on the 'inaudible space', why not use the whole bandwidth? They're close enough, it won't be that much of a bother if it's in the cradle. I can't imagine this to be nearly as fast as swiping a credit card. But if you consider, swiping the credit card, waiting for the authentication, then waiting for the signature, then waiting for the printing out of the receipt, etc. That whole thing can take a minute or so depending. So if this system basically made it so that your receipts are all electronic (no paper print out required when using this system), no requiring another signature to use the device, and all you have to do is slide your phone in a slot for 30 seconds to a minute to complete the transaction, it nulls out the time and makes for effective use of technology.
It might FEEL like you're waiting forever for the handshake.. but people would just need to realize what busy work they're saving themselves, and plus the store is saving a ton of headaches as well not having to keep track of the physical paper receipt signatures. The credit card processors would appreciate that as well.
To really make this "safe" as well, you could have the software on the phone require a password to be entered on the device to "unlock" the encrypted "credit card information" within the phone for 2 minutes or whatever. After that 2 minutes of you entering the password, it auto locks and requires the password to be entered again. So if you loose your phone or someone steels it, they don't knwo your password to unlock your credit card information in the phone....
Anyway, there's my free $0.02 on how to make this work. :)
I don't understand why the specific method of the phone giving the cash register some money is some kind of roadblock. Why the phone needs some new method of communicating with the cash register. The phone has a million ways to send a message to the cash register and get a message back. Why can't the phone just text a One-Time Password to the cash register? Or use HTTPS? Or USSD, the GSM infrastructure high priority message used for topping off prepaid phones? Or any of a number of other comms techniques? Phones in Scandinavia have been texting parking meters, and getting texted when the meter's running down, for years. The money can be transferred by digital "check" between banks, or the telco can collect micropayment notices to be paid back like a credit card at the end of the month - or your phone privileges are cut off by the telcos cartel, harsher than a credit rating hit.
The infrastructure for these transactions are everywhere already. I'm impressed by the cleverness of this "inaudible" signaling, but it all seems an unnecessary waste of time.
--
make install -not war
...to demonstrate "inaudible sound waves"? Okay, here's one too:
"
"
It must have been something you assimilated. . . .
Or cash even? It takes me 2 seconds to get my wallet out. How long are you willing to wait for this app to start up and finish a transaction with the register?
It will be cool hearing a little 'DoodleyBIP!' sound when ya buy things!!!!
But seriously. For this to be an advantage it would have to run as an application requiring no hardware changes, and would be subject to the same restrictions.
Like say - a limited range of frequencies (about 50Hz up to 18Khz to be conservative). Humans can hear all of that, and its even dangerous to be too loud at high frequencies.
Whats the harm in yelling 'Computer, end program!'? You could be living in Star Trek! Go on.. give it a try.
Jones from Police Academy is never going to pay for anything again once he hacks this.
but seriously, shouldn't the question be whether EM or audio has a more usable SNR in the random retail environment?
http://www.theregister.co.uk/2011/06/20/nfc_survey/
Seems demand is more vendor driven than consumer driven.
Any system which expose buyer's info is bad.
Money is better.
If you compare a system to current one in security and privacy, you will find all new system is bad.
Do not accept a payment system which expose buyer's personal info. Even a small portation.
There are no benefit to do that.
People, think carefully, a wallet is better than any high-tech payment system.
Implementation can be done without give out the personal info. The store should generate a one-time transaction identifier, the buyer then receive that id, pay the bill with any means without give out personal info. Do not allow tracking please.
There are an endless supply of IPO driven, marketing oriented, bullshit companies like this one trying to make the next payment system. The truth is: none of them will work. Not one. Every one of these guys is in it to get a piece of the action. I don't blame them. There's an ungodly amount of money to be made, but that's exactly the reason why it won't work. Merchants pay about 2-3% already for accepting credit cards. That's a metric shit ton of money right there, and no merchant in his right mind is going to cough up an extra percentage point or two for some stupid gimmick like this. Credit cards and cash work fine. There's no problem for these moronic companies to solve.
I don't respond to AC's.
... is because it puts the money-making opportunity in the hands of telco's, who can further argue that one needs to upgrade a phone every 2 years?
Audio based smart card technology (sound-based OTP) has been around for more than 12 years. http://www.identita.com/products/acoustic http://www.beepcard.com/ With plenty of IP surrounding it.
I'm a dog, you insensitive clod!!!!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Such a system already exists. It has been used in Slovenia for about 10 years. It was developed by Ultra d.o.o. and is called Moneta/M-pay.
I think an even better question is how long it will be before people with sniffers find a vulnerability in the system.
Don't try to tell me it isn't possible. If Chris Paget can read RFIDs out of passports from 30 feet away and inside his car (equipment cost: $1500), then how easy will it be to sniff active systems like NFC from across the room and behind a wall?
And please don't try to tell me that the transactions are "secure". People have found vulnerabilities in just about every kind of electronic payment system in existence. Banks haven't even been able to make their cards very secure, and there is no way in hell NFC is going to be any "safer" than cards.
Frankly, I think NFC is a disaster trying to happen. Maybe not right away, but once it becomes prevalent, and criminals become highly motivated to find its weak spots.
The problems I see are:
(a) It is a solution without a problem. Other than the ability to use RFIDs as you mention, I don't see that NFC solves or reduces any real problems that currently exist with cards or scanners.
(b) NFC introduces some physical vulnerabilities that cards and scanners do not share: such as the active transmission of financial information via RF.
(c) It is relatively expensive when cheaper solutions already exist.
I could go on but the point is that I simply do not see much in the way of benefit, yet there are significant negatives.
... and built it. My system's called BitChirp, and can encode up to 512 bits. It works. Too bad these guys beat me to market :(
char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
There have been myriads of systems like this.
I was contacted by a french company doing the same, with their own sound encoding system,
which was quite similar to DTFM of the keys on old keypad tones.
Then there were a similar system made by an european crypto-key calculator producer,
which actually used DTFM.
The principle is so simple that any good crypto programmer could have made it with an
ordinary modem. I take this as a strong sign that this kind of technology, including
near field communications, are hindered by some other factor, such as disinterest from banks.
supermarket noise will make it unusable, since sound is not directed (yes I have heard of directed sound systems which can be installed on ships but not on pocket phone)
Does this mean the "squeeeeeeeeee squuuuuuaallllllllll brrrrrrrbrbrbrbrbbrbrbtttt bong! bong!" sound is coming back?!
An NFC phone is just a phone with a contactless card implanted in it, and like those contactless cards, the NFC chip in the phone can be (are) powered thru the magnetic field generated by the POS, so can work even when the phone ran out of battery; Zoosh, by its software nature, needs a powered phone to oparate: no battery, no Zoosh... no money.
You like this http://tinyurl.com/4yn3fuq
I don't really believe in credit cards. You always end up spending more money than you would had you had cash in your hands. I once ended up spending 120 quid on a fancy dress costume which I am certainly not proud of :(
A sound based technology might have big problems operating in a noisy environment - and I know this is for non human audible sounds - but these sounds can also occur outside of this phone app - ie building noise / night club / a busy street. This might limit the usage a little.
The last commonly used type of NFC which worked (IRDA) different from magnetic induction essentially just vanished after a long time. All my Mobile devices bought from 2000-2007 (and one camera bought ) were able to speak irda.
NFC by sound is an obvious idea. But i dont expect that it works very well. The differences in the mass density are higher than the difference in the dielectricity constant of leather, cotton to air. The impedance mismatches seen if you work in practical wavelength regimes (we dont want efficient transmitters to be large) will make it difficult to predict the signal strength, making it prone to interference with devices close (if you cant predict the scattering, you have to have a large range of volumes which you accept).
For the applications where its practical (train tickets etc) you will have many tickets/devices swiped by close to each other. Assuming that you requirement is 10cm maximum working distance, and difference in the scattering of 20dB (power) for a device in a purse in a pocket, you have to allow 1m radius to communicate with a device in plain (acoustical) sight.
Thats more than the distance in the queue at the cashier and more than the distance to the neighbor entrance in the subway.
There was a YouTube video of it and I've been searching for it forever. Anyone know what I'm talking about? The technology in Africa wasn't ultrasonic but it worked and was compatible with people's phones and ATMs. You could make a mobile payment in the middle of nowhere and then play that payment back to the ATM and it would give you cash. The system at the time was amazing, especially since it was directed at the 3rd world. If you've seen what I'm talking about please post a link. I've been dying to show it to a friend in Cape Town.
This news article makes me remember old anecdote: ...
A: Why do you call your cat "Zyxel"?
B: pulling the cat's tail - listen - 19200
Next step would be ultrasonic whistles or flutes selling to interfere with such "point of sales"
You could spend the coins, or is counting so incredibly challenging?
There are other features that are already available. Why not authentication via Bluetooth? Or use the phone's LCD display to output a barcode, or series of barcode type images. Or bar code images with some pseudo random time between images. There are countless other ways to use the existing phone tech. Why do we need new hardware in the phone? When choosing a phone, I want my dollars to go towards better existing tech such as faster processor, more RAM, better battery life, etc.
Ka-ching!
Irrelevant? Maybe the US implementation of it, but not NFC itself. Guess what? I use NFC at least twice a day to ride the train, for my ID badge to get into work, and to buy stuff at 7-11 and vending machines, etc.
The US isn't the world, people, and NFC (at least the Felica standard) is already in wide deployment and in daily ise in a number of countries...
It's the sound of money.
Due to absence of major banks, they use an application that allows a user to put money onto his cell phone. Since this is so practical, almost every commerce is supporting this. You buy the money at a pharamacy, with a discount taken by the pharmacy. You make purchases (pay taxi driver), etc, with cellphone to cellphone transfer. He pays with his cellphone and the store. If real cash is required they go to the pharamacy and redeem an amount from that on the cellphone. I am not certain, but the banks and visa/mastercard are not involved. This makes this process very affordable for commerce and the people on the street.
Leslie Satenstein Montreal Quebec Canada