New NXP SoC Gives Android Its Apple Pay

dkatana writes: NXP, having worked with Apple on Apple Pay, is now launching its PN66T module for secure NFC mobile transactions — for Android. It's intended to implement the same functionality of Apple Pay. While NXP claims the module is OS independent, the features clearly indicate that Android devices are the likely recipients of the SoC. The PN66T is Europay, MasterCard, and Visa (EMVCo) certified, and also supports American Express ExpressPay, thus fully covering the three big credit card companies, ensuring compatibility and interoperability with existing and future payment methods.

Re:SoC?

[swimboy]

SoC is system on a chip.

Re:So Android DOESN'T have an Apple Pay equivalent

They do. It's called Google Wallet. Do literally any research, dude.

Re:So Android DOESN'T have an Apple Pay equivalent

Android has had a secure payment system, Google Wallet. Flagship Android phones used to include secure elements until Google implemented host card emulation in Android with KitKat. HCE eliminates the need for a hardware secure element. Europay, VISA and Mastercard have allowed the use of HCE for a while and American Express ExpressPay announced support for HCE a few days ago.

Re:So Android DOESN'T have an Apple Pay equivalent

[mlts]

Some devices have had a NFC based pay system. SoftCard comes to mind. It uses NFC, and an application on the SIM card, which is harder to attack than just another app on the phone.

Of course, there is the fact that SoftCard requires one to use a specific credit card... but the technology has been in place in a secure manner from the SIM card on up.

I'm just hoping Android's implemention of this is decently secure. CurrenC is waiting in the wings, and if Apple Pay and Android implementations flop, this will be waiting to become the primary payment provider... and it completely bypasses the credit card fraud protections, so if money is stolen... the consumer is stuck with the losses.

Equivalence

[DrYak]

Functionnally: They are equivalent.
- In both case, it's a payment system, and supports NFC protocol so that you can pay wirelessly just buy putting the phone next to the payment machine.

Hardware-wise: They are not exactly the same.
- Google Wallet is just a generic payment system (like PayPal, etc.) In most phone, it's simply the OS (Android) being able to talk over NFC to the payment machine. It's up to the OS and Application to hangle security any way they choose (might or might not involve hardware - most implementation do not. But some smartphone did have some form of it).
- Apple's system specifically uses a separate piece of hardware: a TPM-like chip that is secured and hardened and holds the actual banking information (which never leaves the chip). Security is by definition handled by the specific chip.The whole systems works like a wireless credit-card with a smartphone bolted next to it, the smartphone being able to act as a GUI to the credit card, but the card handling the transaction themselves.
Some Android Smartphone did in fact work exactly like that. (Had a dedicated chip which was more or less a micro credit card, which handled the NFC talk it self and the smartphone merely interfacing with the card).
- NXP is a vendor of chip that makes hardware components for payment. They've worked on Apple's chip. They are now selling this chip for android smartphone manufacturers too.

Apple's emphasis is on security: They want their "dedicated non-hackable credit-card-on-a-chip" approach.
Google's emphasis is on making the technology available everywhere. High end phone will have a chip, low-end phone will simply emulate a virtual credit card by having a piece of software talk over NFC. But it's going to be available as widely as possible.

From a security point of view:
Meh.
Google's idea isn't the most secure ever: it rellies on the OS being good at correctly isolating and sandboxing apps. But bugs happen.
Apple's idea isn't perfect either. In theory, a separate piece of hardware is easier to make tamper proof. In practice, it's just a subpart of the same piece of silicon as the rest of the system (they are SoC. System-on-chip. Nearly the whole modern smartphone is a single chip) hacker are bound to find a way to leak sensitive data (I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic. If they can steal your crypto just by listening caps singing over a crappy mic, do you really think that a core on the same piece of silicon is isolated enough ?!)

(Ref)

[DrYak]

I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic.

Ref

Re:So Android DOESN'T have an Apple Pay equivalent

[tlhIngan]

by mmell (832646) Alter Relationship on Friday November 07, 2014 @02:42PM (#48337609)

It's also shared with your vendor and your credit card company. Same holds true if you use ISIS wallet - someone who is not either your vendor or your credit card provider has access to your credit and purchase information. Guess what - if you use Apple's wallet app, Apple will have access to your purchase data - or did you think Apple just hired all of the world's best psychics and decided to take 'em on faith?
But don't worry - you just go ahead and enjoy your applesauce.

Except Apple doesn't.

Apple Pay is a virtual credit card. Google Pay is a debit account linked to a credit card.

When you use Apple Pay, the transaction details are between your bank and the retailer - Apple's involvement is in the set up part of the equation. Just like a credit card.

When you use Google Pay, the retailer hits your debit card (a virtual one when you set up Google Wallet), who then talks to Google to get funds to transfer to the account. Google gets all the transaction details because it's involved in the transaction.

That's the difference - Apple isn't involved at all in the transaction, and I'm sure that's true because every Android fanboy around is going to verify that fact for everyone.

It's also why Apple Pay counts as a card-present transaction, and Google Wallet doesn't.

NFC alone isn't enough

[m.dillon]

You need NFC (which many Android devices have had for years)... but you also need an actual secure chip (not a software emulation or intermediary), and the ability to initiate payment without having to turn on the phone or type in a security code (i.e. a fingerprint reader), and you have to be able to do it with the phone locked and turned off (meaning you need low power hardware to detect the NFC and wake the phone up). And then you need the OS integration to make it all work together seemlessly. And it has to not leak information to anyone except your bank which obviously needs to have the information anyway... and there is no smart phone app on the market other than ApplePay which can make that guarantee. Certainly not Google Wallet. Or CurrentC. Or anything else. And it's better than chip-and-pin and tap-to-pay which both have physical security issues (though they are much better than mag stripe).

Android is missing too many pieces and it will be at least 1-2 years before it has them all. And even then there will be such a huge percentage of *new* android phones that won't have all the pieces that it will only create mass confusion for the general consumer.

The reason Google Wallet has been a failure to-date is that it (and all other smartphone-based payment systems except ApplePay) is simply not convenient to use compared to swiping a credit card. The reason ApplePay became the #1 smartphone payment mechanism overnight is because it's utterly trivial and convenient to use.

It took me exactly 3 seconds at the local Whole Foods to pull out my phone, tap it with my finger on the finger print reader, and put it back in my pocket. It takes me about as long to swipe my card if I don't have to sign, but half the time I do have to sign so ApplePay immediately wins because I never have to sign (at least not so far).

Eventually all smart phones will do it the Apple way. For now, though, and for the next 1-2 years at a minimum, Apple is the only smartphone game in town that actually works well. Chip-and-pin and tap-to-pay cards work almost as well... they can even be more convenient in some situations, but they don't cover all the security bases.

-Matt

Re:NXP is a huge secure element provider.

[BronsCon]

Actually, everybody had USB when the Mac had Firewire. Eventually, Apple caved in and added USB, then added USB support to the iPod, which was initially Firewire-only.

Re: NXP is a huge secure element provider.

Umm, no.

Apple was the first vendor to ship machines that were USB only for peripherals. At that point USB had been on the market 2-3 years with virtually zero uptake.

They boot-strapped the market for USB peripherals , by shipping a lot of machines that were USB only. It would have languished for at least another 3-5 years otherwise , if not longer.

FireWire did not come on the scene from Apple for 2 years after that.