Sound-Based System Promises Chipless Phone Payment

CWmike writes "While near-field communication gradually emerges to turn mobile phones into payment devices, startup Naratte is introducing a system it claims can do roughly the same thing without adding a chip to the handset. On Monday, Naratte introduced Zoosh, a technology that lets phones exchange transaction information via inaudible sound waves. As with NFC, the phone user would just put the phone near to a point-of-sale terminal to redeem a coupon or make a purchase. NFC provides short-range radio communication between phones and point-of-sale devices so users can just tap or point their phones at the device to make a purchase. NFC uses specialized chips, which are already built into a few phones such as the Google Nexus S sold by Sprint Nextel, and are expected in more handsets in the future. Zoosh involves software that utilizes the speaker and microphone in a handset to send and receive audio signals with another device, similar to the way early modems exchange data by sending tones through the handsets of desk phones cradled in coupler devices. The company has posted a video that shows how it works. Between this and barcodes (which Starbucks says is working well already, thank you very much), is NFC already irrelevant?"

Re:Inaudible to people, perhaps..

[gehrehmee]

Doesn't mean replaying it would get you anything, if it's cryptographically sound.

1970 called..

[Mogster]

They want their accoustic couplers back :)

NFC irrelevant?

[fuzzyfuzzyfungus]

Has NFC already been reduced to a glorified mag-stripe; but with more options for carriers to get their pound of flesh out of the transaction? If so, then yes, a cheaper way of communicating with the POS arguably threatens its relevance.

However, if that deplorable possibility hasn't come to pass, then this seems like only a partial replacement. With NFC, as with the prior RFID stuff, you get the handy option of having passive, antenna-powered tags that can interact with powered devices. You can also have two powered devices talk to each other, some combination depending on the circumstances. With this audio mechanism, and QR codes, and the like, you have the advantage of using hardware that is already there 'for free' because it has other uses; but your versatility is limited: The audio-based system, unless some very clever and likely not cheap piezo/MEMS system were to be hacked together, will only work between two powered devices. QR codes are tolerant of unpowered tags, indeed their tags are cheaper than RFID ones; but you are restricted to dumb tags only. No challenge/response authentication or anything unless two devices with screens and cameras are flashing QR codes at each other as a crude form of two-way communications interface, in which case both of the devices have to be fairly sophisticated and powered.

Re:Inaudible to people, perhaps..

[c0lo]

But I bet a microphone could still pick it up..

I don't know... might work better than radio waves - the attenuation of RF in air might not beat the attenuation of sound waves. The higher the frequency, the higher the attenuation of the ultrasound in air (dry air: 0.6 dB/m at 50 kHz, 1.8 dB/m at 100 kHz). Add some directional elements, use a small emitting power and what's not in direct line of emission might be drowned by noise at a distance of 0.1-1m.

And, on a side note, this is oddly reminiscent of Phreaking

Hmmm... yes, but I think in this case the danger will come from rogue bats flying around that pay terminal (hold you fire, it's just a lame joke)

I completely refuse

[holophrastic]

Right now, I have an AMEX in my wallet. It's the best. Unlike my six other credit cards, my AMEX has no chip, no PIN, and no magic. Ok ok, it has a magstripe. The point is that in order to use it, I open my wallet, swipe my card, sign my signature, and walk away. That's great. It's convenient because it takes fewer than 10 seconds, and it's super-secure, because it requires me to take out my wallet, and to use my card within a millimetre of the magstripe reader. And it's super legal too, because my signature is a legal tool that means something, and it's very criminal to forge someone else's signature. Finally, it's super-safe for me, because if anyone, anywhere in the world uses my credit account for any reason in any way, I'm not responsible for the charge. That's perfect.

The reason I don't use my other credit cards is very simple. They suck. The chip can be read from many yards away, through my pocket. So it's not secure. I need to remember a different PIN for each, so it's not convenient. I'm not allowed to use the same PIN for each -- that's against the card agreement, and rightfully so. And here's the worst part. If someone else uses my card, and uses my PIN, it doesn't matter how they got it it, I'm still responsible to pay it. Read your agreement. Ask for it. That's what it says. It says that you are responsible for any purchase made using your PIN. My PIN is not 32 characters long. It's just a handful of digits that anyone could notice, and remember easier than a phone number.

Now, we're talking about using my phone. A device that can break, die, crash, or get lost. Unlike my wallet, my phone moves from my pocket to my hand way more often. It discharges too. So now if my battery dies, I won't be able to buy a new one. Suck on that for a while. How's that for a buried shovel? So it won't be safe. It won't be secure because whatever information is being passed is being passed through the air, and is no more secure than any airwave transmission. And by using ordinary soundwaves, it can be detected by any microphone that ever existed -- including other phones. My credit card can't intercept other credit cards, unless it's covered in cheese when I swipe it. And by the way, jamming is just as bad. So it's not secure in any way.

Not to mention the most annoying part of all. I just refuse to use a modem ever again. I don't want to hear that sound again. I don't want to wonder why my 16800 is connecting at 14400. I don't want to know why no one has ever gotten 56000 ever, with any 56000 modem. And I don't want to have to explain to someone what BAUD means ever again.

I'm done with that shit.

Re:I completely refuse

[holophrastic]

See, I used to think that, but it's the other side that makes it true. Certainly any agreement could say that if someone uses my PIN, I wouldn't be responsible. They don't, but they could, but they don't. And you can flip that any way you like. But a signature is different. A signature isn't a part of my agreement. A signature is a legal device.

The primary reason that my credit account can't charge me for fraudulent charges is because I never agreed to those charges. And in today's legal world, the only reason that I need to pay my credit card bill is because every restaurant has me sign a piece of that says "I agree to pay above total amount in accordance with card issuer's agreement".

It's not the account agreement; it's the law, and the concept of a signature as a binding contract. A PIN is based on the idea that no one else knows my PIN. A signature is based on the idea that no one else can bind me to a contract. The day that the law changes, and says that using someone else's PIN is criminal, then I'll be happy. But right now, you're allowed to use someone else's PIN. That's not illegal. It's illegal to steal, but that doesn't stop my having to pay my credit card bill. Contrast that with the idea that it was always illegal to sign someone else's name, even with their permission and consent. You simply aren't allow to sign someone else's signature, under any circumstance, for any reason whatsoever.

So that's the reason that I say it's a problem with the technology. The technology failed to consider the legal ramifications of such a change. To say that it's not the technology's fault is like playing football during during recess (do they still have recess?) and calling interference when the ball hits a tree. That's not interference, the tree was there before you threw the ball.

Re:Inaudible to people, perhaps..

[adolf]

dry air: 0.6 dB/m at 50 kHz, 1.8 dB/m at 100 kHz

No. Sound is not so linear as that. You cannot take a chart that says sound is attenuated by 1800dB at 1km and simply divide by 1000 to get the attenuation at 1m.

Remember inverse-square law: Check it out. (And more here.)

All that aside: The simplified rule of thumb for sound at audible frequencies, for a spherical waveform (such as that emitted by a phone), is that sound falls off at a rate of 6dB for each doubling of distance.

So, if you're making noise that measures 80dB@10cm, you get the following results at these increasing distances:

74dB@20cm
68dB@40cm
62dB@80cm

etc.

And we only care about frequencies in the audible range, despite the implication in TFS, or it will be completely unable to work with existing phones (which is the main point of the thing to begin with). To wit: Combine Nyquist theory with the shitty analog electronics and 48KHz (at best!) ADC/DAC in a phone, and the resultant system must be either audible to a sufficiently-close non-damaged human ear, or else be completely non-functional.

So, there's no point in even discussing how well the thing might behave at 50 or 100KHz, because that's never going to work with existing phones.

And the whole argument is moot, anyway: The transport layer for this sort of payment system, whether RFID or barcodes or acoustic signalling or Bluetooth or avian carrier, will be recordable by a sufficiently-motivated and clever person. It therefore must have strong security (whether cryptographic or otherwise), or it will fail and be exploited. And if it does have strong security, it doesn't matter if it's recordable or not, since any recovered data will be useless to the eavesdropping party.