New NXP SoC Gives Android Its Apple Pay

dkatana writes: NXP, having worked with Apple on Apple Pay, is now launching its PN66T module for secure NFC mobile transactions — for Android. It's intended to implement the same functionality of Apple Pay. While NXP claims the module is OS independent, the features clearly indicate that Android devices are the likely recipients of the SoC. The PN66T is Europay, MasterCard, and Visa (EMVCo) certified, and also supports American Express ExpressPay, thus fully covering the three big credit card companies, ensuring compatibility and interoperability with existing and future payment methods.

NXP is a huge secure element provider.

[LWATCDR]

NXP making a secure element for any OS is about as shocking as nVidia making a GPU.
That is what they do.

Re:SoC?

[swimboy]

SoC is system on a chip.

Re:So Android DOESN'T have an Apple Pay equivalent

They do. It's called Google Wallet. Do literally any research, dude.

Why should I care?

[danbob999]

I have a credit card since I am allowed to have one. I use it for all my purchase. It has never been cloned or compromised. New versions with chip and pin seems secure enough. Even if it wasn't, I am not liable in case of a fraud. So why would I want another payment system that would be more secure? At least my credit card doesn't run out of juice after 1-2 days in my pocket.

Re:So Android DOESN'T have an Apple Pay equivalent

Android has had a secure payment system, Google Wallet. Flagship Android phones used to include secure elements until Google implemented host card emulation in Android with KitKat. HCE eliminates the need for a hardware secure element. Europay, VISA and Mastercard have allowed the use of HCE for a while and American Express ExpressPay announced support for HCE a few days ago.

Re:So Android DOESN'T have an Apple Pay equivalent

[mlts]

Some devices have had a NFC based pay system. SoftCard comes to mind. It uses NFC, and an application on the SIM card, which is harder to attack than just another app on the phone.

Of course, there is the fact that SoftCard requires one to use a specific credit card... but the technology has been in place in a secure manner from the SIM card on up.

I'm just hoping Android's implemention of this is decently secure. CurrenC is waiting in the wings, and if Apple Pay and Android implementations flop, this will be waiting to become the primary payment provider... and it completely bypasses the credit card fraud protections, so if money is stolen... the consumer is stuck with the losses.

Equivalence

[DrYak]

Functionnally: They are equivalent.
- In both case, it's a payment system, and supports NFC protocol so that you can pay wirelessly just buy putting the phone next to the payment machine.

Hardware-wise: They are not exactly the same.
- Google Wallet is just a generic payment system (like PayPal, etc.) In most phone, it's simply the OS (Android) being able to talk over NFC to the payment machine. It's up to the OS and Application to hangle security any way they choose (might or might not involve hardware - most implementation do not. But some smartphone did have some form of it).
- Apple's system specifically uses a separate piece of hardware: a TPM-like chip that is secured and hardened and holds the actual banking information (which never leaves the chip). Security is by definition handled by the specific chip.The whole systems works like a wireless credit-card with a smartphone bolted next to it, the smartphone being able to act as a GUI to the credit card, but the card handling the transaction themselves.
Some Android Smartphone did in fact work exactly like that. (Had a dedicated chip which was more or less a micro credit card, which handled the NFC talk it self and the smartphone merely interfacing with the card).
- NXP is a vendor of chip that makes hardware components for payment. They've worked on Apple's chip. They are now selling this chip for android smartphone manufacturers too.

Apple's emphasis is on security: They want their "dedicated non-hackable credit-card-on-a-chip" approach.
Google's emphasis is on making the technology available everywhere. High end phone will have a chip, low-end phone will simply emulate a virtual credit card by having a piece of software talk over NFC. But it's going to be available as widely as possible.

From a security point of view:
Meh.
Google's idea isn't the most secure ever: it rellies on the OS being good at correctly isolating and sandboxing apps. But bugs happen.
Apple's idea isn't perfect either. In theory, a separate piece of hardware is easier to make tamper proof. In practice, it's just a subpart of the same piece of silicon as the rest of the system (they are SoC. System-on-chip. Nearly the whole modern smartphone is a single chip) hacker are bound to find a way to leak sensitive data (I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic. If they can steal your crypto just by listening caps singing over a crappy mic, do you really think that a core on the same piece of silicon is isolated enough ?!)

(Ref)

[DrYak]

I mean, for fuck's sake: hackers have been able to deduce GPG private key by reading signals leaking out of a compute. Noise. Captured by a smartphone's mic.

Ref

Re:So Android DOESN'T have an Apple Pay equivalent

[tlhIngan]

by mmell (832646) Alter Relationship on Friday November 07, 2014 @02:42PM (#48337609)

It's also shared with your vendor and your credit card company. Same holds true if you use ISIS wallet - someone who is not either your vendor or your credit card provider has access to your credit and purchase information. Guess what - if you use Apple's wallet app, Apple will have access to your purchase data - or did you think Apple just hired all of the world's best psychics and decided to take 'em on faith?
But don't worry - you just go ahead and enjoy your applesauce.

Except Apple doesn't.

Apple Pay is a virtual credit card. Google Pay is a debit account linked to a credit card.

When you use Apple Pay, the transaction details are between your bank and the retailer - Apple's involvement is in the set up part of the equation. Just like a credit card.

When you use Google Pay, the retailer hits your debit card (a virtual one when you set up Google Wallet), who then talks to Google to get funds to transfer to the account. Google gets all the transaction details because it's involved in the transaction.

That's the difference - Apple isn't involved at all in the transaction, and I'm sure that's true because every Android fanboy around is going to verify that fact for everyone.

It's also why Apple Pay counts as a card-present transaction, and Google Wallet doesn't.

Re:NFC alone isn't enough

[DigitAl56K]

The reason Google Wallet has been a failure to-date is that it (and all other smartphone-based payment systems except ApplePay) is simply not convenient to use compared to swiping a credit card.

Bullshit. There is virtually no difference in the operation of either system except one has a fingerprint reader.

The reason ApplePay became the #1 smartphone payment mechanism overnight is because it's utterly trivial and convenient to use.

More bullshit. The reason ApplePay became the #1 mechanism overnight is because Apple leveraged their marketing and the media around it. Google hasn't ever done the same. In fact, it would be easy to be oblivious to the fact that Google Wallet even exists - it's almost as if Google doesn't give a crap in terms of marketing it (who knows why..)

It took me exactly 3 seconds at the local Whole Foods to pull out my phone, tap it with my finger on the finger print reader, and put it back in my pocket.

It takes me no more time to use Google Wallet.