Slashdot Mirror
Rite Aid and CVS Block Apple Pay and Google Wallet
An anonymous reader writes CVS and Rite Aid have reportedly shut off the NFC-based contactless payment option at point of sale terminals in thousands of stores. The move will make it impossible to pay for products using Apple Pay or Google Wallet. Rite Aid posted at their stores: "Please note that we do not accept Apple Pay at this time. However we are currently working with a group of large retailers to develop a mobile wallet that allows for mobile payments attached to credit cards and bank accounts directly from a smart phone. We expect to have this feature available in the first half of 2015."
CurrentC seems way too involved for most people to ever give a shit about.
This isn't the sort of thing that "the market" can decide. I expect that it'll end up in court.
I wouldn't be surprised if patents come into it too, and since retailers aren't technology companies, they probably won't have the patents to even develop what they want without licensing, and tech companies with those patents are under no obligation to license them.
Do not look into laser with remaining eye.
Once competition decides what service we decide to favor. A bunch of services will fail, 3 or 4 will remain and be universally accepted. Just look at the credit card networks for reference as to how this will play out.
tech companies with those patents are under no obligation to license them
I thought that in order for something to be incorporated into an industry standard, patent holders had to offer their essential patents for license under a uniform royalty regime (sometimes called "FRAND").
A token based system vs. direct access to my personal data and bank account? I'll take Apple Pay, thanks.
Trolling is a art,
To push away the two leading mobile solutions especially when you're in the midst of losing smokers in CVS (a good move health-wise but consequential for sales nonetheless)? Heck they wouldn't even do Passport.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
How does this not violate these stores' agreements with Visa (etc), which have explicitly partnered with Apple and Google to provide Pay and Wallet as a valid method of using their (virtual) cards at the register?
And worse than simply not accepting it, they did so because they plan to come up with their own competing product??? WTF, Rite Aid, do you really think people will rush to use yet another crappy store-specific solution, rather than look confused at the cashier for a few seconds before walking away, leaving their stuff at the register?
The reason they are doing this is that they don't want to keep paying inflated fees to credit card companies because they are tired of getting screwed. They may also not be serious about it; it may simply be a pressure tactic to get credit card companies to lower fees "or else".
Getting payment options other than the big credit card companies and their inflated fees necessarily involves inconvenience. Obviously, consumers are too lazy to do it by themselves, but retailers may have enough power to make this happen.
It appears that CurrentC moves liability exposure almost entirely onto the consumer, whereas Visa limits consumer exposure to $50 that most banks waive in actual fraud. Add full access to your bank account to make the worst-case liability exposure whatever you have in your account, and privacy terms that allow them to use health related data that could have been protected under HIPPA. Tell me again why I would want to use this?
There are a lot of hidden costs associated with using cards and other technologies with payment terminals. When you pay $6.00 for your purchase, the retailer doesn't get all that money.The processing company that processes all the transactions paid for with cards at a retailer gets a cut of every transaction. If it is a credit card, like Visa or MC, then the credit card company also takes a small percentage.
While Google Wallet and Apply Pay may be free to the end-user, I highly doubt that it is free for the retailer. Google and Apple are likely taking another slice of the pie. So... percentage for the processing company, percentage for the credit card company and a percentage for Google or Apple. It's not beyond belief that this could easily exceed 5% of the purchase price, which could be about 10% of the profit margin. That's a huge number, even if it only amounts to $0.30 on a $6.00 purchase.
It's an annoying hassle for CVS customers to have to wait and deal with another mobile payment system, but it easily means millions in savings each year, nationwide.
There are absolutely no laws that keep standards (or anyone else) safe from patent claims.
Some standards organizations try to require members to license patents under "Reasonable and Non-discriminatory" terms, but the whole thing is nonsense. What is "reasonable"? The answer is, "as much as I can get from you!". And what is non-discrimantory? By definition most RAND terms discriminate against FLOSS, and they also always discriminate against organizations without the patents (since they have to pay for the patents, while others do not). In addition, for software patents and business patents, in general no one (not even the patent author) actually knows what the patent covers and what it does not, for a variety of unfortunate reasons.
I actually think that patents have their place in the physical world, but not at all in the software world.
- David A. Wheeler (see my Secure Programming HOWTO)
Shitty customer service is not a strategy.
Let's face it. With the exception of cash, there isn't an easy way to pay where you cannot become compromised. It seems like every week another retailer has their databases compromised. Do I really believe even for a moment that letting google, apple, or someone else manage my cards for me will stop that? Can you imagine a situation where one of these companies is compromised and not just one but maybe all of your accounts become compromised with it?
So you're saying that the good old magstripe is somehow MORE secure than an NFC phone that requires secondary authentication? Or is it you just haven't figured out how to turn NFC on?
Why is that? How do you imagine your money would be stolen?
Eliza: You seem angry. Would you like to talk about your mother?
Face it, as far as these companies are concerned, you guys are even less relevant than transexual credit card wielding jihadists. They don't care about you. You're a rumor, recognizable only as deja vu and dismissed just as quickly. You don't exist; you were never even born. Anonymity is your name. Silence your native tongue. You're no longer part of the System ...
Faster! Faster! Faster would be better!
A CVS fanboi?
If this isn't a poster child for the 'long tail of the Internet' I don't know what is.
Faster! Faster! Faster would be better!
What magstripe? I live in Europe, where we dropped that nonsense in favour of chip+PIN years ago.
Il n'y a pas de Planet B.
Gruber at DaringFireball nails it:
Apple's great strategic advantages over Google, is that they put their customers (i.e. the people who buy Apple's goods and services) needs over their partners needs to be able to data mine those users.
"Free software as in beer, copy protection as in racket" - Telsa Gwynne
No they are not members of MIB..
So you should feel right at home with NFC+PIN then
First, CurrentC involves scanning TWO QR Codes. Wow. It's almost like we should use a radio to exchange the data. Durr. Second, Target, KMart, and Walmart are involved with this... KMart and Target are idiots; Walmart has an empire, what are they colluding with them? Apple customers are elitist that will go out of their way to use their fancy phones to do anything (ex: boarding passes). Whichever one of these retailers wakes up first and embraces secure technology wins a whole lot of new business.
it's not "either or". All cards (at least where I live) have "the chip", they require a PIN. Not 100% safe but beats the magnetic strip (there was some fuss about this few years back, as some grade students --from Oxford if not mistaken-- found a way beat the system, the backers didn't like it.
If the terminal support the chip and the card has one, any attempt to use the mag strip is refused systematically (they all still have the mag strip). Some of them have nfc (or whatever it is called), mostly credit cards, if used this way no need for a PIN and it's exclusively for tiny transactions (less that $10 I think).
NFC is usually ON by default. You have to have something resembling a clue in order to turn it off.
If NFC is off on a phone it's not because "someone couldn't figure it out".
A Pirate and a Puritan look the same on a balance sheet.
Or, more exactly, why do you think it's at more risk than a magnetic stripe.
If you're in the US, do you let the waiter take your credit card, or do you always pay with cash?
Mod +1.
I love Eliza.
I ran it on a TRS-80 and it recorded interactions with it.
My sister got hold of it and took it very seriously. The transcript was hilarious as she tried to get Eliza to make a goddam commitment instead of asking leading questions.
It little behooves the best of us to comment on the rest of us.
Every corp will want in on the wallet system, you will need several apps installed to cover all of them, and most will be insecure I'll wager.
"If any question why we died, Tell them because our fathers lied."
An extension of this:
Both Apple and Google have sand boxed app stores.
What if they both say fuck CurrentC?
It little behooves the best of us to comment on the rest of us.
Apple Pay is exactly like using one of your credit cards by itself, but signed with your thumbprint. Whatever security Apple has is ADDED to the security of your credit card.
Also most new CC's have a tap-in-pay build in now.
I don't want a "smart" phone. They just want to eliminate cash and force all of us to pay hundreds of dollars a year for a phone that we don't want. I look around, and it's like society has gone off the rails. You're paying $100s a year so you can stare into a little screen, you walk into walls because you don't look,, etc.
What everyone needs to do is load up a cart of perishable items. When you get to the checkout and refuse to take your apple pay. Simply say "So Sorry. I only have my phone with Apple Pay or Google Wallet" and walk away. Do that every time you go to walmart, cvs or any other foolish retailer that wants to buck the system.
When your credit card is compromised, the bank takes the loss and gives you a new credit card. When your phone is compromised, does Apple take the loss and give you a new phone?
NFC on is like wireless on. It might technically be on, but you'll never connect or do anything with it without additional steps.
Learn to love Alaska
Mine dont
Just not secure enough for me, no matter what the card companies and payment handlers say, as they aren't as interested in my security as I'd like.
Is it actually "not secure enough", or is this just a matter of you supposing it to not be secure enough because you have an abundance of (well-placed!) distrust for most of the companies involved?
If it's the former, I'd love to hear about any insecurities you're aware of, since I've been thinking I'd move over to contactless payments in the near future. If it's the latter, why not just go with one of them that is incentivized to protect your security? Apple, for instance, only stands to lose if there's a breach of security, given that they're not mining your data and the whole reason they're adding the feature is as a means for improving their user's experience in the interests of selling more devices. An insecure system directly undermines that objective.
Moreover, based on everything I've seen, their single-use token system that's secured behind a fingerprint scan is significantly more secure than the swipe-and-sign credit card I'm using now, and the parties involved in the transaction are no different than they are with a credit card either: just the merchant, the credit issuer, and the consumer.
I used to use Google Wallet / tap to pay at Rite-aid frequently as there's one across the street from my office. I liked it. The other day when I went in and tried and got a message about Apple pay not being supported, I was pretty confused. I don't use Apple pay. Why disable functionality that was previously working and that customers want to use? Google wallet does not charge merchants at all (http://www.google.com/wallet/business/faq.html). If stores want to set up their own competing wallet apps, that's fine, but disabling something that previously worked and that costs them nothing is really stupid.
Facts have a liberal bias.
I already carry something around in my wallet for paying for things that's convenient, secure, (as long as I don't lose my wallet,) and accepted virtually everywhere I go.
It's called, "cash."
Are there downsides to using "cash" for paying for things? Sure, you have to remember to get it before spending it, and generally you have to earn it before you can use it. On the upside... you have to remember to get it before spending it, reducing frivolous and mindless, impulse-buy spending, and you have to earn it before you can use it, reducing the odds of going into debt.
It also assures me of privacy, (it's way harder to track than credit/debit cards, mobile payment systems, etc.) doesn't cause me to get e-mailed or snail-mailed spam or junk-mail, etc., I don't have to worry that some ass-hat will think my "spending habits" are "irregular" and decide to decline my "cash" payment, or that some jack-booted government thug will decide my spending habits are too similar to someone else' spending habits and that I'm therefor up to no good...
"Cash" is the best mobile-payment system ever created, which is why its catch-phrase has hung around so long... "Cash is king."
But enjoy your magical, hackable "near-field" bullshit, and your "magnetic-stripe" crap. I tried many such things, and have gone back to cash. Accepted pretty much everywhere I ever go, or might go, trace-free, and if you're really worried about cooties... you're much more likely to get sick from inhaling the air than from touching money. Best of luck to you all. I'm going to go hit the ATM. (Since I use a credit union, and not a bank, and I use the network ATM's, I don't pay any fees either.)
Cheers!
For the explanation.
I expect the feds to rule on the fraud aspect once word gets out, to prevent the burden going to cardholders.
I expect all these new systems will indeed reduce fraud. The USA is the last to use chip and pin cards (we have had them here in Canada for 2 years). Chip and pin has stopped most frauds.
I think competitive forces will cause people to avoid shopping at those places for a year, and CVS etc will find it costly to deny both Apple and ANdroid NFC systems, once their competitors get on board.
There was an article in NYTimes recently, written by a mother whose autistic son had bonded with Siri. It was a very sweet story.
Absolutely. NFC was the first thing I turned off. Like the "Internet of Things", NFC is one of those things that for me are solutions without problems.
I've got ninety-nine problems, and one of them ain't that it's too hard to make a purchase in a store.
You are welcome on my lawn.
So, then why exactly am I supposed to want to use it?
You are welcome on my lawn.
Best Buy used to take Google Wallet and other NFC payments then they did a similar thing a few months ago and started blocking them. They are on the merchant list for CurrentC. Question answered.
But now my big question is: Why doesn't the big 4 (Visa, MC, Discover and Amex) just smack them around and say "this is how it's going to be"? I'm sure their member banks would rather have one secure payment standard floating around out there too. This CurrentC thing just looks like a big identity theft cluster f*** data breach waiting to happen.
don't use magnetic stripe, but I'm pretty comfortable with chip and pin. Physical contact is required as well as a (somewhat secure) PIN. and because of the pin, yes I do keep my card. The waiter brings a wireless payment terminal and I keep a receipt.
How do you know? Eh?
They could be....
Faster! Faster! Faster would be better!
Sounds a bit glib but this is totally about retailers data mining you. The banks are giving Apple a cut from their side of the fees so it costs the merchants nothing. In fact it lowers their liability because the ApplePay numbers are single use tokens, not credit card numbers. But that means they can't track your purchase history.
Google Wallet (as far as I can tell) does not use one time numbers; I presume that's why they never card about it.
Natural != (nontoxic || beneficial)
It's more convenient and secure than magstripes.
Learn to love Alaska
As a non USian, do your credit cards really have your address on them? that is messed...
This is one of the rare times I would agree with Apple denying an app.
CurrentC sounds like a mess waiting to happen.
because like most geeks, you're sitting there in line with your phone out anyway. Now you stop angry birds. tap the GW (or Apple app) wave your phone at the reader and you're done...
But first you have to take off the Oculus Rift.
You are welcome on my lawn.
Except for the fact that when you dispute a transaction on a credit card, the worst thing that happens to you is that your card may be frozen or the line of credit may be reduced by the disputed amount.
When you dispute a check or a debit transaction, your money is gone until the dispute is resolved and the bank may freeze all of your accounts during the investigative process, meaning you may essentially have no access to the money in your checking or savings account for a month or more.
Well done! I figured you for a old 80 unix guy that hadn't even heard of Oculus Rift!
For 200 can say why someone wouldn't be wearing one in line to buy something?
The waiter, or anyone else for that matter, should never touch your credit/debit card. Why on earth are people giving it to them for?
https://www.riteaid.com/custom...
http://www.cvs.com/help/email-...
Here's the message I sent. If you're lazy, feel free to use it:
Disabling Apple Pay and Google Wallet, which were previously accepted is not OK. If you want to come up with your own competing system and give people rewards to use it, that's fine, but don't break existing functionality. Google Wallet just works. Apple and Google's solutions don't cost you any more money than a credit card transaction. Your payment app isn't even available yet and relies on QR codes, which means that when it does launch it will likely be very clunky by comparison.
If you can't come up with a sane response to this, I guess I'll be switching to Walgreens.
Facts have a liberal bias.
and that varies by location. With friends who are a store manager and regional manager, according to them it's going to be wait-and-see if the smokers just move on to another drug store - taking the rest of their business with them.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Apple and Google are on the same side in this one, in opposition to CurrentC.
Thank you. I wasn't aware of it.
It little behooves the best of us to comment on the rest of us.
For the same reason someone would constantly have their phone in their hand: Because they are a tool.
You are welcome on my lawn.
So close but no!
A tool is a "device or implement, especially one held in the hand, used to carry out a particular function"
As a consolation prize you get to keep your lawn...
I have. Very interesting. One "feature" of debit cards is that if you use them at a cash machine and you don't get what you ask for, too bad, you lose. Now, if you get more than you ask for the financial institution will be all over you. And of course, as pointed out by many posters, there is protection against fraud for credit cards but not debit cards, at least in the USA. These are the reasons our family does not use a debit card.
One possibility credit card issuers could implement is to deny retailers the ability to accept their credit and debit cards unless they allowed the use of credit card electronic systems for their cards such as Apple Pay or Google Wallet. It might hurt the issuers for a while but the retailers more. Returning to cash and paper checks would impose enormous overhead to retailers reconciling mounds of cash and paper checks. Large retail stores will need fork lifts to move all that paper around.
The thing that makes Apple Pay so intriguing is that each transaction produces and transmits a unique code for each purchase that does not include the credit card number. I'm assuming the code is encrypted, but even if it's not, that code will not be used again so if it's intercepted it's useless to the thief. Not sure if the Google system uses the same process, but it would be easy for them to adopt it.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
Apple and Google aren't managing our money. They're just giving us another option for how to hand it to people we're already doing business with
Don't use it. Very simple, and no angst involved. For those of us who do want to use it, why does it matter to you?
Because when I got my new phone, NFC was turned on by default, which drains the battery and creates a potential security hole.
Most people do not use NFC. I don't think the company from whom I buy a phone should be engaging in social engineering to use something I do not want to use.
Honestly, if the feature was there and turned off unless I wanted it, it wouldn't matter to me. As long as we don't go to a cashless society, it doesn't matter to me. But I do not want Apple to become a bank. I do not want Google to become a bank. They are already so big as to be anti competitive. .
You are welcome on my lawn.
What, you thought because the US is touted as a leader in technology that our financial system wouldn't be lodged firmly in the 1980's? What the banks want, the banks get. And what the banks want, is to keep reaming us with absurd fees for services the rest of the world takes for granted. They're going to drag their feet for as long as possible about doing anything that even hints at being good for consumers, and once they do, they're going to make sure we pay dearly for it.
$4.99/transaction fee for NFC transactions? Sure, why the hell not?
Celebrity worship is a poor substitute for Deity worship and costs more to boot.
It's FAR more at risk than a magnetic stripe.
1. A magnetic stripe CANNOT be used without touching the card. This is a good thing.
2. NFC has multiple vulnerabilities. We all thought OpenSSL was secure for many years - until we found out just how much it wasn't. Coders aren't perfect.
3. The banks will shift liability from themselves to the consumers with NFC. They'll claim it's so secure it had to be our fault.
So yes, if you use this, you are more at risk than a magnetic stripe.
No data travels to or from the card unless I put it in the card reader, or the salesperson does so under my watchful eye.
NFC should be renamed NAG: No Air Gap.
Il n'y a pas de Planet B.
Apparently you are intimidated by complete sentences. There's a cure for that problem: Learn how to do it right. Then people will understand you better, and you'll no longer have to try to hide your ignorance behind "I know what I meant and you're an idiot if you can't read my mind".
Perhaps His Holiness is old enough to have learnt about something called "The Law Of Unintended Consequences". This often seems to crop up in conjunction with the implementation of Solutions Without Problems. You should read up on it sometime.
Il n'y a pas de Planet B.
Let me help you consult a more up-to-date dictionary.
As a consolation prize, you get to mow PopeRatzo's lawn, since I live in a flat and don't have one.
Il n'y a pas de Planet B.
The issue is not (merely) about my device connecting to others. It's (also) about other devices connecting to mine.
Il n'y a pas de Planet B.
I am suggesting a boycott of these two stores. Since I know for certain they accepted apple pay and then and now refusing.
Yep. That's the ticket. Adults vote with their feet.
Are you asserting that does happen by default, or are you lying to spread FUD?
Learn to love Alaska
Why would CVS or RiteAid want Apple Pay anyway? If a shopper has bothered to come to the store, select items to buy and then go checkout, chances are they want the items relatively more than someone who hasn't gone to that effort. The stores of course support several different existing methods of payment which work just fine from their perspective. The customer is likely to pay anyway.
Perfect? No. There are middlemen involved in the transaction but it's a system everyone more or less tolerates. Extremely complicated financial deals are behind every card terminal you see in a store. None of that stuff just happens. It's all very carefully planned.
Along comes Apple which puts themselves into play as yet another layer of middlemen, one which the stores have zero control over and one which is outside their established payment process. It also runs counter to their own payment initiative which they have agreed to support exclusively. So what Apple tried to do was an end-run around the established players AND they did it using the existing installed card terminals. NOBODY piggybacks like Apple tried to do without having some major skin in the game. You try stunts like that, you are going to get your hand burned.
So, Apple is at once both another layer of middlemen interference and also potentially a contract issue for the other payment product. Apple was too late to the game. And from the store's perspective again, you have a cart full of stuff, you aren't going to just walk away, you'll probably pay with another method so they have nothing to lose really buy rejecting Apple Pay. Same for GooglePay which I never saw in the wild. Whatever.
Apple has a habit of intruding on entrenched turf and taking on the existing players. They did it with phones. But payment systems are a much more spread out target where everyone has their own idea of what they want and most of them think it works just fine as is, including the customers. Nobody who mattered much was asking for NFC payments. Apple has been pushing this, suddenly, so it's up to Apple to tell everyone why they should want it. It's totally on them. Until they do that, until they make some inroads at the card terminal issuers, Apple Pay is going to be limited.
Sig for hire.
There may have been Oxford grads, but there was also the estimable Ross Anderson from cl.cam.ac.uk and his team.
The idea that CVS, RiteAid and other retail stores are taking the stance against 3rd Party NFC payment solutions struck me, initially, negatively as well. However, as a customer of CVS, I think I can see why they, at least, are opposed to Apple Pay and Google Wallet. The reason? Anonymity of the purchase.
CVS has a model where a customer is asked to present their CVS ExtraCare card. If you don't have it with you, they can look it up by phone number. Barring that , they can swipe a store card. The customer's purchases are discounted if they have earned enough ExtraCare points and they receive ExtraCare coupons based on their ExtraCare card. To a consumer, those ExtraCare coupons are golden and develop brand loyalty.
Naturally, CVS is tracking how and what the customer purchases. Linking the CC number to the holder's ExtraCare card makes sense to them. Using Apple Pay or GW eliminates all personally identifiable information during the transaction. This breaks their model at the POS terminal.
One solution is to develop a mobile app for each of the platforms they wish to support. Apple has made it difficult to track users by device during recent changes to their privacy policy. Things like the UUID, VendorID or AdvertiserID have been either eliminated or their use highly controlled. And, of course, VendorID and and AdvertiserID can be reset by the user limiting their use as a tracking mechanism.
Somehow, during the NFC payment process, with all personal details stripped out of the transaction, there remains the need to transmit the user's id (like how Starbucks integrates with ApplePay and still presents a barcode that can be scanned at the POS and the account debited. I haven't analyzed their barcode myself. But, I would think that they present the Starbucks userid in some form - they seem to know what name to put the order and personalize the experience.
The downside to the approach is that the vendor has to maintain gift card info (with balances) and, possibly, the CC info (for auto-reloads, etc). Given the number of compromised POS systems at the retail outlets, they need to find a happy medium between their business model and consumer privacy and protection. We, on the other hand, prefer to have them side more with consumer privacy and protection. This is why we like Apple Pay and Google Wallet or even services such as Stripe which anonymize the CC info and protect our privacy and payment accounts.
A simple solution, if one is using magstripe cards, is to use something like Google Authenticator associated with the card. At time of payment, the user is required to enter a PIN (optional) and/or present the Google Authenticator value for their card (secret issued by the bank). This could be presented as a barcode and scanned by the POS. Heck, the CC info could be included in the barcode saving a step. The card and auth token are validated by the CC company before permitting the transaction to go through. If the connection is down, then the user must present a valid form of ID and the card so it can be processed the old fashioned way.
If a user has a rewards card, they can either present it manually or have it included in the barcode displayed by a custom app. If the user loses their phone or physical card, they can simply go the bank's site, report the card or device stolen, and get a new secret key issued. This would, immediately, make the CC number useless as they won't be able to generate the time based token. On the flip side, it will make hacking a CC company's system a lot more valuable.
I don't know what, exactly, gets exchanged by the NFC terminal between it and a device. If customer info can be exchanged in the process of making the payment, it could prevent those retailers trying to develop their own solution and make them receptive to accept Apple Pay and GW.
Because of the part you didn't quote.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
I don't trust Apple or Google enough to use their NFC payment systems. On the other hand, I trust a private consortium of retailers a whole lot less. So far as I'm concerned, there's still no viable NFC system on the horizon.
Yes, yes. You are a much better, nicer and more intelligent person than I because you use cash. I'll bet you're a Vegan and only watch PBS telethons.
Cash is simply inconvenient and risky. If I lose my wallet or am mugged, I can't just "turn off" my cash. It's gone and yes, it's completely my fault for losing the wallet or getting mugged. I've tried several times to put my cash into the DVD slot on my PC when buying off of Amazon. It just never works!
Transaction by NFC (at least apple pay) at this point in time, is far more secure than cash.
They should want it because WE want it. It's a customer-focused system that is more secure and convenient for the customer.
My only issue with google's system is storing my data in the cloud. I'm old enough to not trust the cloud to keep my data secure. Apple is showing up at *exactly* the right time as thousands (millions?) of people are being hacked due to the antiquated systems currently in place. Apple pay is a disruptive technology and will change the way brick-and-mortar transactions are handled.
I'm putting CVS and RiteAid in the "Ballmer" classification of forward thinkers.
No financial data travels from your phone either until you enter the PIN or scan your fingerprint.
Thank you, that was the one I was talking about. It was Cambridge not oxford, my bad. It made the headlines because of this http://www.cl.cam.ac.uk/~rja14...
My card has my name on it, and assorted numbers that relate to the card itself. I don't know what's on the mag strip, but I suspect it's just what's on the card. Not that it's hard to determine my address from my name and metropolitan area.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Hey. Do you do children's' birthday parties?
I have a very unique name, so any document with my name on it will probably lead right back to me. This is not really a fault of said document, but more about the ease of gaining information. Anyone determined enough can find out a lot about you with minimal initial information.
Not only complain, but every time you make a purchase from any of these merchants: http://www.mcx.com/ be sure and use a credit card so they'll have to pay the processing fees. They want to gather customer information with a direct connection to our bank accounts? Fuck 'em.
None of the comments seem to address the crux of the issue. From the article: "This is huge for the merchants who are losing a significant amount of money on every credit card transaction."
Credit card fees are HUGE. Imagine if ACH deducted 2-3% of your paycheck every week. You'd scream bloody murder! The article doesn't even mention chargebacks...
I'd consider this a "shot over the bow" towards credit card fees and chargebacks. Apple or Google's system may win in the end; but Visa and Amex will need to lower their fees significantly.
No, I will not work for your startup
I've seen a proof of concept described that bypasses a lot of the physical security that is assumed to be present with NFC payments. Take two reasonably powerful and sensitive NFC transmitter/receivers, both portable and each connected to a comms device like a rooted Android phone, give one combination pair each to two people involved in the demonstration. Put one of the aerials inside a wallet, carried in the hand with the cable hidden e.g. up a sleeve. This person would be the one "paying". The other person just need to be nearby the "mark" whose card is to be used to pay for the transaction, close enough for the card interrogation to take place. Create a channel where the received data at one aerial is transmitted by the other, and vice-versa. Then when the payment is requested, the shops' cardreader has no way to recognise that the device being waved at it is not the actual one being interrogated for the transaction. The "mark" has no knowledge that their card was just used for a purchase. The merchant has no way to know that the transaction was fraudulent.
The same type of paired-device communication will also work to get through doors that require only a wave of a card in front of it.
So, if you want to have something that can be as easily bypassed as this in your pocket, please ensure that there is a decent faraday cage around it to prevent signal leakage when you don't want it used.
- This sig deliberately left blank. Nothing to see, move along.
But in those cases you're talking about an NFC signal that auto-authenticates a transaction with no interaction from the user. I haven't used Google Wallet or Apple Pay yet, but it's my understanding that neither of them operates that way. Apple Pay requires that you first authorize the purchase with the use of your fingerprint, while Google Wallet, I believe, requires that you unlock your phone and confirm on-screen your intent to use your phone for a purchase.
In theory, yes, your attack would work...assuming that the protections that actually do exist didn't exist.
Biometrics, if used, should be used as usernames, not as passwords.
- This sig deliberately left blank. Nothing to see, move along.
Fair enough on Paywave and Paypass. I had forgotten about those.
But I guess I just don't understand the rest of your points. It seems like you're moving the goalposts a bit.
Why is the inability to change a fingerprint in any way relevant to this discussion? A PIN is much easier to compromise than a fingerprint, and even if my fingerprint is compromised, it only because a threat to me if the thief has the sophisticated means necessary to lift and reproduce my fingerprint, whereas anyone at all can reproduce my PIN with the greatest of ease.
Moreover, my inability to change my fingerprint only becomes a problem if the same thief targets me multiple times. By the time they'd manage to reproduce my fingerprint after stealing my device the first time, I'd have de-authorized the device for making transactions, meaning that the only way those fingerprints they potentially acquired would ever be useful would be if they targeted me again and stole a second device that I had configured in the same way. But at that point, we're talking about someone who not only has some pretty sophisticated techniques, but is also engaging in some pretty sophisticated attacks. It's not something that 99.9999% of us will ever have to deal with, and for those among us who do have to deal with those sorts of attacks, chip-and-PIN would fare even worse at protecting you, since you'd be immediately compromised after the first theft if they had merely looked over your shoulder at the store.