New NXP SoC Gives Android Its Apple Pay

dkatana writes: NXP, having worked with Apple on Apple Pay, is now launching its PN66T module for secure NFC mobile transactions — for Android. It's intended to implement the same functionality of Apple Pay. While NXP claims the module is OS independent, the features clearly indicate that Android devices are the likely recipients of the SoC. The PN66T is Europay, MasterCard, and Visa (EMVCo) certified, and also supports American Express ExpressPay, thus fully covering the three big credit card companies, ensuring compatibility and interoperability with existing and future payment methods.

NXP is a huge secure element provider.

[LWATCDR]

NXP making a secure element for any OS is about as shocking as nVidia making a GPU.
That is what they do.

Re:NXP is a huge secure element provider.

[i+kan+reed]

Yeah, but see, since the apple marketing machine finally got around to making "replacing your credit cards" as essential feature of smartphones(in the US), everyone who already had all the tech to do it is eager to be the public face of doing it on Android.

nVidia making GPUs would be "news" if somehow it became popular and cool to discuss GPUs in public.

Re:NXP is a huge secure element provider.

[BronsCon]

Actually, everybody had USB when the Mac had Firewire. Eventually, Apple caved in and added USB, then added USB support to the iPod, which was initially Firewire-only.

Re: NXP is a huge secure element provider.

Umm, no.

Apple was the first vendor to ship machines that were USB only for peripherals. At that point USB had been on the market 2-3 years with virtually zero uptake.

They boot-strapped the market for USB peripherals , by shipping a lot of machines that were USB only. It would have languished for at least another 3-5 years otherwise , if not longer.

FireWire did not come on the scene from Apple for 2 years after that.

Re:SoC?

[swimboy]

SoC is system on a chip.

Re:So Android DOESN'T have an Apple Pay equivalent

They do. It's called Google Wallet. Do literally any research, dude.

Why should I care?

[danbob999]

I have a credit card since I am allowed to have one. I use it for all my purchase. It has never been cloned or compromised. New versions with chip and pin seems secure enough. Even if it wasn't, I am not liable in case of a fraud. So why would I want another payment system that would be more secure? At least my credit card doesn't run out of juice after 1-2 days in my pocket.

Re:So Android DOESN'T have an Apple Pay equivalent

Android has had a secure payment system, Google Wallet. Flagship Android phones used to include secure elements until Google implemented host card emulation in Android with KitKat. HCE eliminates the need for a hardware secure element. Europay, VISA and Mastercard have allowed the use of HCE for a while and American Express ExpressPay announced support for HCE a few days ago.

Re:So Android DOESN'T have an Apple Pay equivalent

[mlts]

Some devices have had a NFC based pay system. SoftCard comes to mind. It uses NFC, and an application on the SIM card, which is harder to attack than just another app on the phone.

Of course, there is the fact that SoftCard requires one to use a specific credit card... but the technology has been in place in a secure manner from the SIM card on up.

I'm just hoping Android's implemention of this is decently secure. CurrenC is waiting in the wings, and if Apple Pay and Android implementations flop, this will be waiting to become the primary payment provider... and it completely bypasses the credit card fraud protections, so if money is stolen... the consumer is stuck with the losses.

Equivalence

[DrYak]

Functionnally: They are equivalent.
- In both case, it's a payment system, and supports NFC protocol so that you can pay wirelessly just buy putting the phone next to the payment machine.

Hardware-wise: They are not exactly the same.
- Google Wallet is just a generic payment system (like PayPal, etc.) In most phone, it's simply the OS (Android) being able to talk over NFC to the payment machine. It's up to the OS and Application to hangle security any way they choose (might or might not involve hardware - most implementation do not. But some smartphone did have some form of it).
- Apple's system specifically uses a separate piece of hardware: a TPM-like chip that is secured and hardened and holds the actual banking information (which never leaves the chip). Security is by definition handled by the specific chip.The whole systems works like a wireless credit-card with a smartphone bolted next to it, the smartphone being able to act as a GUI to the credit card, but the card handling the transaction themselves.
Some Android Smartphone did in fact work exactly like that. (Had a dedicated chip which was more or less a micro credit card, which handled the NFC talk it self and the smartphone merely interfacing with the card).
- NXP is a vendor of chip that makes hardware components for payment. They've worked on Apple's chip. They are now selling this chip for android smartphone manufacturers too.

Apple's emphasis is on security: They want their "dedicated non-hackable credit-card-on-a-chip" approach.
Google's emphasis is on making the technology available everywhere. High end phone will have a chip, low-end phone will simply emulate a virtual credit card by having a piece of software talk over NFC. But it's going to be available as widely as possible.

From a security point of view:
Meh.
Google's idea isn't the most secure ever: it rellies on the OS being good at correctly isolating and sandboxing apps. But bugs happen.
Apple's idea isn't perfect either. In theory, a separate piece of hardware is easier to make tamper proof. In practice, it's just a subpart of the same piece of silicon as the rest of the system (they are SoC. System-on-chip. Nearly the whole modern smartphone is a single chip) hacker are bound to find a way to leak sensitive data (I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic. If they can steal your crypto just by listening caps singing over a crappy mic, do you really think that a core on the same piece of silicon is isolated enough ?!)

Welcome to SIGINT

[DrYak]

If you think that some software sandboxing is the equivalent of a "secure enclave" chip in terms of secure-ness, you're sadly mistaken.

If you think that a "secure enclave" is really secure, when its implemented as a SEPARATE CORE ON THE SAME FUCKING SILICON, you really don't believe in SIGINT.
In a world where scientist have been able to guess GPG private key just by analysing signal.
Accoustic signals: Noise.
Over a smartphone's crappy mic.
(Ref).
Do you really think that a "secure" core on the same piece of silicon stands any chance?

Re:Welcome to SIGINT

Not to say that secure elements are totally and completely secure, but they're more secure than crypto implemented in software (as your link so generously shows). They may both be vulnerable to government agencies, but software elements are vulnerable to casual physical (or remote, possibly) access to the device.

Side channel attacks on secure elements are not at all new. NXP et al actually design these chips with them in mind.

Your argument is comparing apples to oranges: because a gun was able to shoot through a T shirt (with chainmail printed on it), a purpose-built bulletproof vest is useless!

(Ref)

[DrYak]

I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic.

Ref

Re:So Android DOESN'T have an Apple Pay equivalent

[tlhIngan]

by mmell (832646) Alter Relationship on Friday November 07, 2014 @02:42PM (#48337609)

It's also shared with your vendor and your credit card company. Same holds true if you use ISIS wallet - someone who is not either your vendor or your credit card provider has access to your credit and purchase information. Guess what - if you use Apple's wallet app, Apple will have access to your purchase data - or did you think Apple just hired all of the world's best psychics and decided to take 'em on faith?
But don't worry - you just go ahead and enjoy your applesauce.

Except Apple doesn't.

Apple Pay is a virtual credit card. Google Pay is a debit account linked to a credit card.

When you use Apple Pay, the transaction details are between your bank and the retailer - Apple's involvement is in the set up part of the equation. Just like a credit card.

When you use Google Pay, the retailer hits your debit card (a virtual one when you set up Google Wallet), who then talks to Google to get funds to transfer to the account. Google gets all the transaction details because it's involved in the transaction.

That's the difference - Apple isn't involved at all in the transaction, and I'm sure that's true because every Android fanboy around is going to verify that fact for everyone.

It's also why Apple Pay counts as a card-present transaction, and Google Wallet doesn't.

NFC alone isn't enough

[m.dillon]

You need NFC (which many Android devices have had for years)... but you also need an actual secure chip (not a software emulation or intermediary), and the ability to initiate payment without having to turn on the phone or type in a security code (i.e. a fingerprint reader), and you have to be able to do it with the phone locked and turned off (meaning you need low power hardware to detect the NFC and wake the phone up). And then you need the OS integration to make it all work together seemlessly. And it has to not leak information to anyone except your bank which obviously needs to have the information anyway... and there is no smart phone app on the market other than ApplePay which can make that guarantee. Certainly not Google Wallet. Or CurrentC. Or anything else. And it's better than chip-and-pin and tap-to-pay which both have physical security issues (though they are much better than mag stripe).

Android is missing too many pieces and it will be at least 1-2 years before it has them all. And even then there will be such a huge percentage of *new* android phones that won't have all the pieces that it will only create mass confusion for the general consumer.

The reason Google Wallet has been a failure to-date is that it (and all other smartphone-based payment systems except ApplePay) is simply not convenient to use compared to swiping a credit card. The reason ApplePay became the #1 smartphone payment mechanism overnight is because it's utterly trivial and convenient to use.

It took me exactly 3 seconds at the local Whole Foods to pull out my phone, tap it with my finger on the finger print reader, and put it back in my pocket. It takes me about as long to swipe my card if I don't have to sign, but half the time I do have to sign so ApplePay immediately wins because I never have to sign (at least not so far).

Eventually all smart phones will do it the Apple way. For now, though, and for the next 1-2 years at a minimum, Apple is the only smartphone game in town that actually works well. Chip-and-pin and tap-to-pay cards work almost as well... they can even be more convenient in some situations, but they don't cover all the security bases.

-Matt

Re:NFC alone isn't enough

[DigitAl56K]

The reason Google Wallet has been a failure to-date is that it (and all other smartphone-based payment systems except ApplePay) is simply not convenient to use compared to swiping a credit card.

Bullshit. There is virtually no difference in the operation of either system except one has a fingerprint reader.

The reason ApplePay became the #1 smartphone payment mechanism overnight is because it's utterly trivial and convenient to use.

More bullshit. The reason ApplePay became the #1 mechanism overnight is because Apple leveraged their marketing and the media around it. Google hasn't ever done the same. In fact, it would be easy to be oblivious to the fact that Google Wallet even exists - it's almost as if Google doesn't give a crap in terms of marketing it (who knows why..)

It took me exactly 3 seconds at the local Whole Foods to pull out my phone, tap it with my finger on the finger print reader, and put it back in my pocket.

It takes me no more time to use Google Wallet.

Re:SoC?

[AndyKron]

I'm old. I'm still at ASIC running DOS.

You're still paying for the fraud

[rsilvergun]

in the form of higher merchant fees. A substantial amount of the fees Card Issuers and Merchant Banks charge is to cover the inevitable fraud. Cut that down and the merchants get charged less (there's tonnes of competition in the payment world, contrary to popular belief. Just look at Square). Merchants get charged less are likely to pass less of those fees on to you. So there you go.

NFC Bitcoin Checkout is more secure

[codebonobo]

http://blog.bitpay.com/2014/11/04/bitcoin-checkout-one-tap-mobile-bitcoin-payments.html

Yes, I understand the downsides of fewer merchant acceptance but there are plenty of upsides as well for everyone.

Orders can be priced in 150+ currencies, and past payment information is only a few taps away.

We’re now rolling out the app to every mobile market worldwide, in the 40 languages spoken by 99.99% of the world’s population.