Slashdot Mirror
Google Wallet May End Up Inside Your Actual Wallet
Several outlets are reporting, based on screenshots posted by Android Police that Google is (or "may be" — CNet calls the report "loosely sourced") about to introduce a lower-tech variant on its smartphone-based Google Wallet payment system. Instead of transferring payment information from an NFC-equipped phone, this would mean a physical payment card (like a conventional plastic credit or debit card), but one linked via Google's databanks to the user's existing bank or credit accounts. Upsides: less to carry, a simple way to suspend or cancel service on them (should the card be lost or stolen), and doesn't require you to carry your phone to make a credit or debit transaction — handy, since NFC readers are still thin on the ground. Downside: while perhaps no worse than putting the same information on your phone, it's one more step toward giving a third party all of your personal information in one place. A card that fits in a wallet probably makes a lot of sense: I live in a city with at least three pay-by-phone options in trials or fully available (CitiBank, Isis, and Google Wallet), but I can't buy ice cream or coffee with them yet. And there's no reason a card-shaped token couldn't use mag-stripes and NFC, too.
Banks are better equipped. They'll just start issuing NFC cards (linked to multiple accounts) and G Wallet wil be out of business.
Heh. It's possible, I suppose, but about 10 years ago I spent a lot of time working with banks, trying to get them to agree to allow their credit apps to coexist on a single card. It was known in the industry as the "white card" concept. The card was intended to be a customer-owned smart card which could be loaded up with many credit cards as well as other apps (probably all ID and finance-related). I think it's a great idea, myself. I did 10 years ago when the idea was to reduce my whole wallet to a single card, and I think it's an even better idea now that we're talking about eliminating the wallet entirely and just using the phone -- which I always have with me anyway. I'm hoping my phone can also become my car and house keys, my driver's license, my loyalty cards, etc. Basically there's no reason the single device couldn't manage all of my personal and identity data, and do it very securely, thanks to the embedded secure element.
Think the banks were interested 10 years ago? No way! There was no way they were going to give up the opportunity to have a branded card in their customers' wallets. In fact, even for single-bank cards one of the advantages of smart cards that I touted to them -- the fact that smart cards are much more durable than magstripe cards -- was of negative value to them, because they like sending you a new card every two years. Why? Because their statistics show that sending you a new card gets you to use it more!
Banks have all kinds of incentives to oppose this sort of thing.
Of course, now that Google is making it impossible for the banks to successfully oppose card unification, on smartphones and -- if there's anything to this rumor -- on plastic cards, they might have to join it. That's what the ISIS consortium is about, but I notice that banks haven't been joining in droves. IMO, they fear the mobile network operators, who would like nothing better than to become the world's payment transaction engines, and the banks really don't want to lose that business. Worldwide credit/debit card transaction volume is measured in tens of trillions of dollars annually. Getting even a very small percentage of that sort of cash stream is worth a lot, which is why the MNOs are anxious to get in and banks are anxious to keep them out.
(Disclaimer: I work for Google, and much of my work is related to Wallet. I have carefully avoided saying anything based on inside information acquired while working for Google. I have a lot of knowledge about this space that was acquired during previous employment, though.)
Oh one note on terminology: It's only called "NFC" when it's embedded in a phone and combines contactless smart card technology with dumb RFID technology, and able to act as both card/RFID chip and reader. When it's in a reader-powered card it's just called "contactless smart card" technology.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
You forget that there's also a cost associated with using cash. You have to worry about employees and customers taking that money. You have to find a safe way of transporting the money to the bank. For businesses, banks will also charge you service fees for the privilege of depositing money into your account. You also have to go through the trouble of ensuring that you always have proper change for customers who use cash. Sure there are many expenses when dealing with credit cards and other non cash payment systems, but it's not as if dealing in cash is all fun and games.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I've been working with smart card tech for almost 20 years now. I've seen the breaks and countermeasures, and am fully aware that the technology can be broken given enough effort. That's why good security designers arrange to limit the damage possible, to a value which is less than that which can be obtained by breaking it -- and we have pretty good estimates of break cost. Off-device countermeasures are critical, too, such as the risk engines already implemented by all of the credit card issuers. ID-related data should be authenticated with off-device keys, similar to the way the authentication data in passports is already secured.
Obviously nothing is perfect, which is why the security engineers who design this stuff spread the risk. But that risk spreading doesn't mean you can't put everything in one device. In fact, it really doesn't even help to have a wallet full of separate cards, because they're all in one place. And having all of your credit cards in your phone is vastly more secure than having them all in your wallet, because your wallet has no locks and the cards in it have their whole frigging card numbers printed right on their face. It's hard to get much worse security than that (because, fundamentally, credit cards are horribly insecure -- the identifier and the authenticator are the same value? Really?)
You can certainly feel free to avoid putting everything in your phone if you like. But the vast majority of people who are willing to trust the security designers will not be disappointed in the results. Not that there won't be occasional problems, there are problems with anything, but they will be less common than the ID and payment fraud we have today.
Bottom line: It will be better security, not worse. I challenge you to find a serious security researcher who knows anything about the technology and disagrees.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I've used a credit card for every purchase that I can for several years now. Not only that, I signed up with Mint to explicitly track my purchases. Not only credit cards, but loans and bank accounts too.
If you had asked me a few years ago to "come back in a few years and tell us how good it was for you to surrender your buying habits to google or some other behemoth" -- well, I would be coming back right now to let you know. So here it is.
It's great. My purchases are automatically organized into categories for budgeting purposes. I get targeted ads that give me suggestions for saving money or making more money. For instance, Mint might say something like "Your savings account pays X%, you could make more if you switched to Y Bank." I ignore 90% of these because after switching the first time, it's not worth switching again for a tiny bit more.
Do you have a reason for thinking that the next few years will be worse than the last few years?