Slashdot Mirror
Chase and MasterCard Jump Into Mobile Payments (itworld.com)
itwbennett writes: JP Morgan Chase said Monday that it plans to launch its own smartphone payment platform in mid-2016. 'Chase Pay will be based on CurrentC, a retailer-led mobile payment system that has largely been written off by Silicon Valley techies for its reliance on barcodes rather than the more sophisticated NFC (near-field communications) technology adopted by its competitors,' writes Martyn Williams. CurrentC, and therefore Chase Pay, is compatible with a much larger number of smartphones than the rival services from Apple, Google and Samsung.
Meanwhile, MasterCard announced a program that aims to turn any type of gadget into a payment device, from car keys to fitness trackers.
A phone is probably at least as secure as the average person's desktop. All three major phone operating systems offer a walled garden and by default run apps in a heavily restricted sandbox. Most users never break out of that. We don't see vast phone based botnets, suggesting that those operating systems compare quite well to the most common desktop OS, Windows.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
"Why would anyone want to pay with a phone?"
Whenever you hand your credit card to a clerk, there is a possibility that it could be scammed. Your card information could go into the retailer's database, which can eventually be hacked, compromising millions of people at once.
Phone payment systems, on the other hand, can be set up so that only a one-time code gets transmitted to the retailer. It can't be used for anything after the one transaction, and there is nothing to store in a vulnerable database.
Phone payment systems, on the other hand, can be set up so that only a one-time code gets transmitted to the retailer. It can't be used for anything after the one transaction, and there is nothing to store in a vulnerable database.
EMV provides a similar one-time code. No phone required.
When I looked into it, the advantages to something like Apple Pay (but not any of these CurrentC-based initiatives) seemed pretty evident:
1) It's significantly more secure than carrying a card in the US. For instance, Apple Pay generates single-use tokens that take the place of credit card numbers. Had consumers been using it when the Home Depot and Target hacks happened last year against the point of sale systems, the hackers would have just gotten a list of consumed tokens that were utterly useless. Likewise, were my phone/card stolen, I'm less likely to notice a missing card than a missing phone, but both of them can be deactivated remotely. On the plus side for the iPhone*, even if I don't deactivate it, it'll fully lock itself and require my lengthy password after 48 hours, meaning that any would-be thieves would have a very narrow window during which to use Apple Pay, and it would be complicated by the fact that they'd have to first reproduce my fingerprints. That alone negates a lot of common thievery. And if we're getting into the sort of state-sponsored thievery that would be good enough to crack into the hardware encrypted Secure Enclave in an iPhone where the credit card info is stored, then Apple Pay is, frankly, the least of my worries.
2) It's more convenient. No more pulling cards out of my wallet, then having to put them back in the right place. No having to navigate to and through apps. No having to manually generate QR code sand the like. No having to count out cash. Less things to carry. I'd love to eliminate the cards I carry from my EDC. I already have my health and car insurance "cards" on my phone. Some US states are permitting digital driver's licenses. And I stopped carrying cash on a regular basis years ago for a variety of reasons. My credit cards are one of the bulkiest things I still carry.
3) It's more private than credit cards. Again, speaking of Apple Pay and the like as opposed to CurrentC-based programs, they're specifically designed to protect your privacy against intrusion by the retailers. Credit card numbers can be captured by retailers and are routinely compiled into large databases that track you and your purchases across all of their chains and subsidiaries, both in-store and online. In contrast, the one-use tokens that Apple Pay uses aren't linked back to your identity or any of your identifying information in any way (though I think I heard that they were about to allow users to opt-in to providing info to specific retailers in exchange for discounts/rewards/customer loyalty type stuff), and because they're single-use, they can't be tracked from one purchase to the next. It strips retailers of their ability to track you via your payment method, though, obviously, cash shares that same advantage.
In contrast, CurrentC-based systems like Chase's are designed by retailers (headed by Wal-Mart) for retailers, since it tracks your location both inside and outside of the stores, requests access to as much information as it can get on your phone (including any health information you store on the phone), and provides identifying information in its QR codes so retailers can easily recognize you.
All of which is to say, paying by phone has some major advantages, but, as with many topics we discuss here on /., the devil is in the details.
* Hypothetically speaking, since I don't actually have an iPhone with Apple Pay.
The main problem with CurrentC is not the QR-codes, though that is kind of ridiculous and old-timey. The main problem is the direct line into your banking account with no credit card intermediary; which strips you of much fraud protections you enjoy with ApplePay, or even just by swiping plastic. That means instead of being on the hook for no more than $50 in the event of fraud (And many cards waive this these days.), your bank account can simply be emptied. Good luck getting that money back. And even if you succeed, it's still gone for the duration, when you may have needed it for other purchases and bills.
CurrentC needs to die. And the retailers trying to push it need to be made to suffer.
Imagine all the people...