Canadian Banks Rushing To Offer Virtual Wallets

silentbrad writes with this quote from the Globe and Mail:"Canada's big banks are preparing to launch 'virtual wallets' as early as this fall that will allow consumers to digitally consolidate their credit and debit cards from any financial institution, and use them to make purchases online and through their cellphones at cash registers. It is being called the biggest change to the way consumers pay for goods in Canada in decades, and for the banks moving quickly into this space, the strategy is about keeping ownership of the vast and potentially lucrative stores of data that are involved in transactions. ... The majority of the banking sector is expected to follow suit in the next year or so, with each financial institution relying on the concept of 'aliases,' where a password lets consumers access their payment cards, but protects personal information from being passed to the merchant. ... Retailers can use the information contained in transactions, stripped of details that violate privacy laws, to tailor offerings or promotions to consumers. And the banks figure they can build a new business from that new world. Location data on phones can help neighborhood stores connect with customers in the area, while transaction data online can give insight into consumer habits and tastes."

As I pat my virtual pocket to check

[paiute]

This is great news. Now I no longer have to wait to lose my physical wallet to go through the agony of canceling and replacing credit cards. It can be lost more efficiently in the cloud.

Re:As I pat my virtual pocket to check

[IpSo_]

If anything this should be more secure than the RFID credit cards already in everyones wallet up here. The phone shouldn't be transmitting any data until the app is opened and a password is entered. Sure someone could be intercepting the transmission at the checkout of the store, but that risk already exists with existing RFID cards and also with merchants not locking down their POS terminals and subjecting themselves to having them replaced with compromised ones.

Re:As I pat my virtual pocket to check

[Daas]

The main difference is : I can't remotely kill my wallet if I lose it or if it gets stolen. Plus, there is no password on my wallet.

Re:As I pat my virtual pocket to check

[IpSo_]

Does it matter if its compromised by one person or 10,000? The one person who steals your wallet from your car or off the beach when you're not looking can just as easily provide the information to anyone else anyways.

Lets compare the process in each scenario:

Physical Wallet:
1. Thief steals wallet from car.
2. Thief opens wallet, takes credit cards and starts making purchases at physical stores and online.

Virtual Wallet in Phone:
1. Thief steals phone from car.
2. Thief must prevent any radio signal from reaching the phone to prevent a remote wipe.
3. Thief takes the phone home and starts the "hacking" process to gain access first to the phone (password lock)
4. Thief then must gain access to the presumably encrypted virtual wallet app.

If the encryption is done properly, step 4 would be prohibitively expensive and easily buy the 2-24hours it would take to realize your phone is gone and contact your credit card company.

Not only that, but once enough people are using the virtual wallet, I would imagine they would be able to easily switch to using bluetooth or similar protocol that uses some sort of SSL encryption with pre-exchanged keys to prevent any man-in-the-middle attacks at the POS terminal.

Re:As I pat my virtual pocket to check

[rgbrenner]

you must not be in the US then. No-swipe (RFID) credit cards are common, and rfid credit card scanners are all over the place. You just wave your card over the scanner, and it charges it.

Re:As I pat my virtual pocket to check

[Baloroth]

Yeah, they're actually starting to become a thing that card makers are pushing. I remember seeing guides of how to fry the RFID chip (I believe a microwave for a few seconds works, but don't blame me if it also breaks the card) because even a lot of non-techies realize the security risk.

Re:As I pat my virtual pocket to check

Note to TSA: I am not a terrorist even though I used the words "kill" and "nuking".

Thanks, now if only we could get everyone to just admit when they are and aren't, that would make our jobs a LOT easier. Keep up the good work, patriot!

Re:As I pat my virtual pocket to check

[Beardo+the+Bearded]

I've got one on my CC. It works great, I can just wave my wallet at the reader and I'm good to go. I don't have to touch the pen or pinpad that Typhoid Mary and Ebola Gary have been licking.

It's limited to $50 transactions.

The field is very short, approx 6".

It's my CC, so there's a buffer between it and my real money.

I'm an EE. An RF EE. They're fine. The machines aren't always set up to take them though, so it doesn't work everywhere.

Re:As I pat my virtual pocket to check

[MachDelta]

The problem with them is that there's no way to turn them off. At least on my cell i can disable NFC and password (and track) the device. With cards you either have to permanently disable them or get a shielded wallet. I opted for the shielded wallet, but most people don't know why they would need one. Even my mom, who's been in the banking industry for 25 years, was surprised that my phone could pick up her CC through her purse. If people are so ignorant of the dangers that the whole act seems like magic, they're easy to take advantage of.

Re:As I pat my virtual pocket to check

[HungryHobo]

option 2: phone malware picks up your details the next time you use the app.

option 3: pre installed networkcrapware like this
http://money.cnn.com/2011/12/01/technology/carrier_iq/index.htm destroys any semblance of security.

It's all about selling customer data

FTFA:

Retailers can use the information contained in transactions, stripped of details that violate privacy laws, to tailor offerings or promotions to consumers. And the banks figure they can build a new business from that new world. Location data on phones can help neighbourhood stores connect with customers in the area, while transaction data online can give insight into consumer habits and tastes.

The title of the article should read:

"Canadian banks rushing to offer your private buying history to the highest bidder"

What?

[TheSpoom]

Did anyone else read the entire summary and still have no idea WTF it's talking about? Something to do with aliasing personal information to merchants... so they can target advertising... when the merchant has all the customer's personal data out of necessity anyway...?

Canadians already primarily use a card system called Interac to make most purchases; granted, it's been a while since I lived in Canada but even three years ago it was very rare for me to make a cash purchase.

Reading TFA it seems like it's talking about cell phone wireless payments, and banks selling your demographic information to retailers. Frankly, if my bank did that, I'd opt out of it immediately, and potentially change banks if they didn't allow the opt-out. This suggests to me that within five years there will be no bank that will allow opting-out unless it's protected by law.

Re:if it ain't green.

[green1]

Canadian bills aren't all green now. $5 is blue, $10 is purple, $20 is green, $50 is red, $100 is brown, $1000 is pink (I believe, been a while since I've seen one) and when we used to have a $1 it was dark green and $2 was orange
makes it much easier to tell denominations at a glance when looking through your wallet.

I can hear the FAIL from here....

[Lumpy]

They already tried this in the USA with the stupid nearfield credit cards. it was an epic failure. Paypal has tried it several times and failed and is on their next failure with this technology.

People DO NOT WANT to have loosey Goosey access to their money. It is why you dont see RFID on all your groceries and a push and pay register at Walmart... if they could lay off almost all the cashiers forever they would.

Good luck canada, but Mastercard could not get enough banks and people to use their atempt, I think you will have about the same chance.

Re:I can hear the FAIL from here....

[swillden]

You're wrong, this is going to happen.

Visa and MasterCard have announced that they'll implement the chip card liability shift next year in North America. What that means is that starting in 2013 all liability for fraudulent transactions will accrue to whichever links in the chain (issuing bank, merchant, merchant acquiring bank, clearinghouse) do not have the chip-based technology implemented. Since merchants pay for nearly all of the credit card fraud, you'll see a very fast response from them to add the necessary technology at the point of sale.

While the liability shift doesn't address the question of contact vs contactless (RF) payment chip technology, at this point everyone will be deploying contactless. From a security perspective it doesn't matter whether it's contact or contactless, because any contact design has to assume that attackers will be able to eavesdrop or even MITM the contact connections, and the contactless technology has a lot of advantages. More to the point, the north american banks tried contact cards a decade ago and it failed -- not due to any problem with the technology, but still the failure left a bad taste in their mouth. So bank execs see "contact failed, so maybe contactless will work better". And it will, but not due to any advantage of the technology. It does have advantages, but they aren't the reason it's going to succeed.

So, what we have now is a confluence of events that will drive adoption. The merchants will deploy the infrastructure because it will save them huge amounts of money. Banks will deploy chip cards because they don't want to absorb that fraud. Because of Google Wallet, ISIS, Apple's initiative (whatever it will be), etc. more and more smartphones will have NFC, to the point that over the next 2-3 years you can expect basically ALL new smartphones to have NFC. And while you may not like it, people really DO like being able to pay with their phone, and to use a virtual wallet.

I notice this especially among the younger population. When I use Google Wallet at stores, the cashier's reaction is very strongly correlated with age... the younger the cashier, the more they like it. This shouldn't surprise anyone given how central mobile phones have become to young peoples' lives.

The obvious next step, once you're using your phone for payment, is to integrate loyalty and coupons. It sounds like these banks are taking a slightly different approach than Google or ISIS, but the fundamental idea is the same. For manufacturers and retailers, it provides a smoother path to deliver incentives to consumers and -- even more important -- a path that allows them to close the loop. When General Mills puts cereal coupons in the newspaper, they know roughly how many coupons are printed and roughly how many are redeemed, but they don't have any real way to figure out how effective those coupons were at motivating people to buy who wouldn't otherwise have bought. Electronic coupons can fix that.

From a consumer perspective, there's fantastic convenience in having all of this stuff integrated. My wife often goes to the grocery store with an inch-thick stack of coupons, and it takes a lot of time for the cashier to process all of them. Many of us have a crazy number of loyalty cards we carry around, so there's big value in moving all of that into electronic form as well. And then when you get to where you can apply all loyalty discounts and relevant coupons and perform the payment in one 250ms tap, that's really nice.

Of course, there are some significant privacy questions around all of that. The whole point of loyalty cards is to enable retailers to get more detailed information about their customers at an individual, privacy-busting level. But, by and large, people are fine with that. So far, it appears that the vast majority of people will also be fine with electronic coupons giving an anonymized handle to them to manufacturers as well -- and this same anonymized handle may well be a way for individuals

Re:Wither Paypal?

[RattFink]

The whole point of Paypal was you don't have to give your cc number to the vendor; it'll stay with Paypal.

A little like contracting smallpox to keep you from catching cowpox.

Re:if it ain't green.

[compro01]

Was pink. The $1000 bill was withdrawn back in 2000 due to money laundering concerns.

What's the worst that could happen?

[azalin]

What's the worst that could happen? There is no way that idea could wreak havoc to you finances if something goes wrong. Actually forget the "if" and replace it "once". One basket was not a good idea a few hundred years ago when carrying eggs and still isn't.

Re:nice timing

[PmanAce]

I'm curious to hear why, what are your examples?

Re:Privacy?

[pla]

Really, how does being offered discounts on products you actually buy and use constitute a bad thing.

Just make them cheaper to start with and skip the games. Simple enough for ya?


Are you such a sick deviant fuck that you are ashamed by your purchases, or buying illegal things, or buying things to commit illegal actions?

8/10.


Seriously? Get over it.

I pay with cash. Consider me over it.

Re:if it ain't green.

[MachDelta]

Nope. It's gone for good. They stopped printing them in 2000 and any financial institution that receives one is asked to return it to the BoC for destruction. They're still legal tender and can still be held privately, but they're not officially in circulation. They were rarely used for anything other than money laundering anyways. The only time I ever saw them was in a bank vault in bundles.

Re:if it ain't green.

[Yaztromo]

...and when we used to have a $1 it was dark green and $2 was orange

Actually, the $1 was black and yellow on front, and green on the reverse.

The $2 bill was considered to be "terracotta" coloured, and was more reddish-brown than orange.

Yaz