Slashdot Mirror
New NXP SoC Gives Android Its Apple Pay
dkatana writes: NXP, having worked with Apple on Apple Pay, is now launching its PN66T module for secure NFC mobile transactions — for Android. It's intended to implement the same functionality of Apple Pay. While NXP claims the module is OS independent, the features clearly indicate that Android devices are the likely recipients of the SoC. The PN66T is Europay, MasterCard, and Visa (EMVCo) certified, and also supports American Express ExpressPay, thus fully covering the three big credit card companies, ensuring compatibility and interoperability with existing and future payment methods.
Software on Chip? It would be good if things were better defined in the summary.
NXP making a secure element for any OS is about as shocking as nVidia making a GPU.
That is what they do.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
They do. It's called Google Wallet. Do literally any research, dude.
I have a credit card since I am allowed to have one. I use it for all my purchase. It has never been cloned or compromised. New versions with chip and pin seems secure enough. Even if it wasn't, I am not liable in case of a fraud. So why would I want another payment system that would be more secure? At least my credit card doesn't run out of juice after 1-2 days in my pocket.
Android has had a secure payment system, Google Wallet. Flagship Android phones used to include secure elements until Google implemented host card emulation in Android with KitKat. HCE eliminates the need for a hardware secure element. Europay, VISA and Mastercard have allowed the use of HCE for a while and American Express ExpressPay announced support for HCE a few days ago.
In my understanding of the Android docs and this blog, yes it can have one, Google Wallet use the harware secure element on supported devices. Recent Android releases added APIs too, for applications to emulate cards without access to the secure element, pure CPU based implementations, less secure but still an option.
Jeez, it's almost like an open software ecosystem can have a lot of variation.
Can you believe that there are droids with no cameras or touchscreens? Some aren't even phones!
The only people that won't like this are the companies pushing CurrentC and the scammers stealing credit card numbers.
Its a good thing for both Apple and Android users as it will help push the marketplace towards supporting sane and safe and private credit card transactions.
Some devices have had a NFC based pay system. SoftCard comes to mind. It uses NFC, and an application on the SIM card, which is harder to attack than just another app on the phone.
Of course, there is the fact that SoftCard requires one to use a specific credit card... but the technology has been in place in a secure manner from the SIM card on up.
I'm just hoping Android's implemention of this is decently secure. CurrenC is waiting in the wings, and if Apple Pay and Android implementations flop, this will be waiting to become the primary payment provider... and it completely bypasses the credit card fraud protections, so if money is stolen... the consumer is stuck with the losses.
The only people that won't like this are the companies pushing CurrentC and the scammers stealing credit card numbers.
If only! With CurrentC, they'd be out to steal bank account / debit card numbers; which is way worse...
HCE eliminates the need for a hardware secure element.
If you think that some software sandboxing is the equivalent of a "secure enclave" chip in terms of secure-ness, you're sadly mistaken.
>> Android has had a secure payment system, Google Wallet.
Purchase data is shared with Google. By definition that is not secure
we have only had this functionality since NFC came out three years ago with Google Wallet. The Japanese had it for almost 10.
Apple drags the US mass market out with marketing and making it so your grandmother can do it.
HCE eliminates the need for a hardware secure element.
If you think that some software sandboxing is the equivalent of a "secure enclave" chip in terms of secure-ness, you're sadly mistaken.
I was under the impression that where phones have hardware (e.g. Nexus 5) it'll use it, and it provides emulation elsewhere so that Wallet can work across all Android devices with NFC, and the idea was to broaden support for the platform, not to say emulation is better or even preferred.
Not exactly. What Google has been doing was acting as a "cloud" intermediatary. This works fine as a protection mechanism but utterly fails as an "improvement". Likewise the "Banks" want HCE so they can roll out their own apps and bypass carriers, while the Carriers want SIM-based NFC SE's so they get a cut of the transactions.
HCE is a non-starter because "cloud" storage is not secure. The biometric can be completely bypassed. Likewise SIM-based SE's get bypassed by taking the SIM card out of the device and putting it in another. Both are more secure than physically handing the card over to be swiped, and marginally better than straight chip+pin, since anyone who knows your PIN can use a chip+pin card. A biometric-based security (there's more than one way BTW. Using the camera on the phone can be a poor-mans biometric applied against a face recognization, but it can be fooled with a photo. Replicating a finger print or blood requires technology that doesn't really exist in any practical sense, when a thief would save time by cutting off the finger.)
Not terribly. It's a lot harder to USE stolen banking numbers. You can't just punch the banking numbers into something and withdraw money, you have to have another US banking account... and write fake checks or something with it, which are then held. No the biggest flaw with CurrentC is taking that information and putting it on someone elses identity, and then using that stolen identity to commit fraud.
CurrentC's plan is ripe for identity theft, any solution that involves tracking consumer habits is. If such systems were being used to detect fraud I could probably get on board with it, but that has never been the case except with PayPal. PayPal already knows more about you than you think. Any name, address ,credit card, bank account, billing address that you have ever used since inception is stored.
Functionnally: They are equivalent.
- In both case, it's a payment system, and supports NFC protocol so that you can pay wirelessly just buy putting the phone next to the payment machine.
Hardware-wise: They are not exactly the same.
- Google Wallet is just a generic payment system (like PayPal, etc.) In most phone, it's simply the OS (Android) being able to talk over NFC to the payment machine. It's up to the OS and Application to hangle security any way they choose (might or might not involve hardware - most implementation do not. But some smartphone did have some form of it).
- Apple's system specifically uses a separate piece of hardware: a TPM-like chip that is secured and hardened and holds the actual banking information (which never leaves the chip). Security is by definition handled by the specific chip.The whole systems works like a wireless credit-card with a smartphone bolted next to it, the smartphone being able to act as a GUI to the credit card, but the card handling the transaction themselves.
Some Android Smartphone did in fact work exactly like that. (Had a dedicated chip which was more or less a micro credit card, which handled the NFC talk it self and the smartphone merely interfacing with the card).
- NXP is a vendor of chip that makes hardware components for payment. They've worked on Apple's chip. They are now selling this chip for android smartphone manufacturers too.
Apple's emphasis is on security: They want their "dedicated non-hackable credit-card-on-a-chip" approach.
Google's emphasis is on making the technology available everywhere. High end phone will have a chip, low-end phone will simply emulate a virtual credit card by having a piece of software talk over NFC. But it's going to be available as widely as possible.
From a security point of view:
Meh.
Google's idea isn't the most secure ever: it rellies on the OS being good at correctly isolating and sandboxing apps. But bugs happen.
Apple's idea isn't perfect either. In theory, a separate piece of hardware is easier to make tamper proof. In practice, it's just a subpart of the same piece of silicon as the rest of the system (they are SoC. System-on-chip. Nearly the whole modern smartphone is a single chip) hacker are bound to find a way to leak sensitive data (I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic. If they can steal your crypto just by listening caps singing over a crappy mic, do you really think that a core on the same piece of silicon is isolated enough ?!)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
So another quick-pay scheme, intended to snoop a few seconds off the time it takes to do a payment (and a few percent of the money..) Now if they would implement a quick-get-rich scheme the same way I would be all ears :)
"Fix it? It has been disintegrated, by definition it cannot be fixed!" - Gru in Despicable Me.
Now if only there were some vendors around town actually accepting tap-to-pay . . . :^S
If you think that some software sandboxing is the equivalent of a "secure enclave" chip in terms of secure-ness, you're sadly mistaken.
If you think that a "secure enclave" is really secure, when its implemented as a SEPARATE CORE ON THE SAME FUCKING SILICON, you really don't believe in SIGINT.
In a world where scientist have been able to guess GPG private key just by analysing signal.
Accoustic signals: Noise.
Over a smartphone's crappy mic.
(Ref).
Do you really think that a "secure" core on the same piece of silicon stands any chance?
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Guess what - if you use Apple's wallet app, Apple will have access to your purchase data - or did you think Apple just hired all of the world's best psychics and decided to take 'em on faith?
Well, Apple "has access" in the sense that the data is there and they could upload it to their servers, but they won't. (You could argue that iCloud backup does so, but not in a way that they're collecting...)
I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic.
Ref
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Except Apple doesn't.
Apple Pay is a virtual credit card. Google Pay is a debit account linked to a credit card.
When you use Apple Pay, the transaction details are between your bank and the retailer - Apple's involvement is in the set up part of the equation. Just like a credit card.
When you use Google Pay, the retailer hits your debit card (a virtual one when you set up Google Wallet), who then talks to Google to get funds to transfer to the account. Google gets all the transaction details because it's involved in the transaction.
That's the difference - Apple isn't involved at all in the transaction, and I'm sure that's true because every Android fanboy around is going to verify that fact for everyone.
It's also why Apple Pay counts as a card-present transaction, and Google Wallet doesn't.
You need NFC (which many Android devices have had for years)... but you also need an actual secure chip (not a software emulation or intermediary), and the ability to initiate payment without having to turn on the phone or type in a security code (i.e. a fingerprint reader), and you have to be able to do it with the phone locked and turned off (meaning you need low power hardware to detect the NFC and wake the phone up). And then you need the OS integration to make it all work together seemlessly. And it has to not leak information to anyone except your bank which obviously needs to have the information anyway... and there is no smart phone app on the market other than ApplePay which can make that guarantee. Certainly not Google Wallet. Or CurrentC. Or anything else. And it's better than chip-and-pin and tap-to-pay which both have physical security issues (though they are much better than mag stripe).
Android is missing too many pieces and it will be at least 1-2 years before it has them all. And even then there will be such a huge percentage of *new* android phones that won't have all the pieces that it will only create mass confusion for the general consumer.
The reason Google Wallet has been a failure to-date is that it (and all other smartphone-based payment systems except ApplePay) is simply not convenient to use compared to swiping a credit card. The reason ApplePay became the #1 smartphone payment mechanism overnight is because it's utterly trivial and convenient to use.
It took me exactly 3 seconds at the local Whole Foods to pull out my phone, tap it with my finger on the finger print reader, and put it back in my pocket. It takes me about as long to swipe my card if I don't have to sign, but half the time I do have to sign so ApplePay immediately wins because I never have to sign (at least not so far).
Eventually all smart phones will do it the Apple way. For now, though, and for the next 1-2 years at a minimum, Apple is the only smartphone game in town that actually works well. Chip-and-pin and tap-to-pay cards work almost as well... they can even be more convenient in some situations, but they don't cover all the security bases.
-Matt
CurrentC has no chance of becoming the primary anything. It uses QR codes for gods sakes... virtually nobody will use it, no matter how much the merchants try to push it. It's already DOA and it hasn't even been officially launched yet.
-Matt
Access to the hardware secure element in android phones is blocked by all carriers except Sprint. Because of this even on phones with secure elements host card emulation is used instead of the secure element.
Beyond initial setup where you enter your card info and Apple's servers negotiate with your banks to get your secure tokens (which are then stored in the secure enclave of your hardware itself), Apple does not know anything about your transactions. The transactions are between you, the vendor, and your card issuer, as with any CC purchase.
>> Apple will have access to your purchase data
No they don't. Maybe try actually educating yourself before spouting off on a topic.
Big difference between VISA and my bank having my purchase data and me handing it over to an advertising company like Google. Never going to happen.
Most mid and high end Android phones still use the secure element, which is also used for storing things like encryption keys. They are very cheap these days, much like how most business oriented laptops have TPM because it costs so little to implement.
HCE is so that very cheap phones can still do payments with Google Wallet. That will be really important in places like China, Asia and South America.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I certainly hope using QR "bar" codes isn't the reason CurrentC dies. QR codes have been used for payments on large scales in some places (of note, Japan). What should kill CurrentC is the complete lack of liability protection; the payment processor has no liability for breaches (therefore there won't be any security), while the consumer will be liable for all transactions. I suppose the end result is the same, but the latter seems rather more significant to me.
I was just at walgreens and saw a small Apple Pay logo on the checkout screen for the first time,
It made me smile
http://Lenny.com
CurrentC is fighting against another thing though: the existing plastic credit cards. Scanning a QR code is far more awkward than just pulling out the bloody card from your wallet and waving it above the RFID sensor.
in the form of higher merchant fees. A substantial amount of the fees Card Issuers and Merchant Banks charge is to cover the inevitable fraud. Cut that down and the merchants get charged less (there's tonnes of competition in the payment world, contrary to popular belief. Just look at Square). Merchants get charged less are likely to pass less of those fees on to you. So there you go.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The idea was to open up access to other card providers. With the secure element being in hardware, operators were controlling the provisioning, so only very few phones came provisioned for Google Wallet, and none with major credit card companies, because those companies won't bend over and accept the operators' demands for a cut.
It's also why Apple Pay counts as a card-present transaction, and Google Wallet doesn't.
From the retailer's perspective, actually, it does, as the virtual card Google Wallet presents is just as present as the details presented by Apple Pay. On Google's end, when they charge your card, it is not, so I guess you're partially correct. Assuming, of course, that you're funding your purchase with a credit card; it's a moot point if it's coming out of checking.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Man, is there any more sure-fire way to sound like a *complete* douche than to say "try educating yourself" in any conversation? I sure don't think so.
Supporting documentation?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
So when presented with some people claiming that Android already has a feature and one article indirectly claiming that it doesn't, the mindless Apple fanboi unquestioningly latches on to the version that paints Android in a negative light. What a shocker.
HCE was implemented mainly to force Google Wallet on Verizon. Verizon refused to active the secure elements on their phones instead ISIS used a secure element on their SIM cards, which they refused to allow Google Wallet to access.
Personally, it's really annoying to me that they did this with KitKat. I used to enjoy NFC payment with my phone that has a secure element, but then google switched to the software method and my phone won't be updated. They discontinued google wallet service for secure element phones back in April. Now I have to use my card again.
Long story short, I'm pissed that by 'upgrading' they took a feature I had and regularly used away.
When you're wrong all you have left is insults.
When you're wrong all you have left is insults.
True. Especially insults like "try educating yourself".
yep if the payment thing requires the user to launch an app it's dead in the water as everyday debit/credit card replacement.
really the simplest is to just build phone cases/backplates with compartments for the contactless credit cards. everybody happy, can put any card you want in there, the hongkong metro card or whatever(that you can buy booze with).
and to put things into perspective mobile phone tied paying has been tried to bring into the mainstream for the past 15 years, since nokia 7110.
and for various reasons this chip doesn't change the game at all, not on android and not on any - and the title is misinformed.
From a 'I did not make that purchase, reverse the charges, please' perspective ?
They might not have the complete details, but some they must have - how else make sure they get their percentage? Can't see Apple blindly trusting the card companies on a money issue...
The problem with HCE is provisioning. In order for HCE to work the issuing bank needs to develop their application, have a cloud hosting service for tokenization and the phone needs to be connected to the internet.
The PN66T solves all those issues handling security on the chip. Provisioning of the credit card is done once and then an encrypted version of the card is stored on the phone.
http://blog.bitpay.com/2014/11/04/bitcoin-checkout-one-tap-mobile-bitcoin-payments.html
Yes, I understand the downsides of fewer merchant acceptance but there are plenty of upsides as well for everyone.
Orders can be priced in 150+ currencies, and past payment information is only a few taps away.
We’re now rolling out the app to every mobile market worldwide, in the 40 languages spoken by 99.99% of the world’s population.
LOL, I think pherthyl would have been better going with 'you're as thick as shit, Android weenie'.
You better be using cash for all your transactions if you care about purchase history.
Your history, unless you are doing something shameful is not what people are after. they want access to your accounts and PH does not provide that.
weird, since both Apple pay and Google Wallet carry the same costs for transaction.
It is kind of hard to claim that for GW since you have to claim that, on top of someone stealing your device, they also have to have your wallet pin. then you have to explain why you did not suspend your wallet account when the device was stolen.
further more, you will probably get stuck with the charge if you failed to encrypt your device since you had the least secure technology in the chain of the transaction.
Now I almost feel bad for tearing you apart so bad in that other post. Almost.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.