Slashdot Mirror
Chase and MasterCard Jump Into Mobile Payments (itworld.com)
itwbennett writes: JP Morgan Chase said Monday that it plans to launch its own smartphone payment platform in mid-2016. 'Chase Pay will be based on CurrentC, a retailer-led mobile payment system that has largely been written off by Silicon Valley techies for its reliance on barcodes rather than the more sophisticated NFC (near-field communications) technology adopted by its competitors,' writes Martyn Williams. CurrentC, and therefore Chase Pay, is compatible with a much larger number of smartphones than the rival services from Apple, Google and Samsung.
Meanwhile, MasterCard announced a program that aims to turn any type of gadget into a payment device, from car keys to fitness trackers.
Yes, the phone in your pocket is also a computer. No, it is not as secure as your desktop or laptop.
Never trade security for convenience.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Why would anyone want to pay with a phone? How is it any more convenient than paying by card or cash?
Not to mention the enormous invasion of privacy which gives them all the info about your finances.
Well, if you are using the app directly from the credit card company / bank, I imagine the privacy factor is about the same whether using a card or a phone. I'd much rather carry my phone around and leave my credit cards at home. It's easier for me to keep track of my phone and I notice if it is missing much faster than if a card (or wallet) is missing.
Hopefully the apps from the bank work with rooted phones. I haven't had a chance to use this tech yet (even though I have a Note 5) since I rooted my phone - which stops Samsung and Android Pay from working.
You must not have shopped in a retail store lately, or you would have noticed that every cashier is quite familiar with barcode readers, and in busy stores, they are used thousands of times a day.
"Remind me again why NFC is "better" than bar codes?"
Because it's shorter working range, ability to transfer more information and quicker, also eliminates differences introduced by different brightness/display sizes of phones.
"You can't remotely intercept a bar code very well or easily"
Interception device is called a camera.
"You can verify what you present to the register."
Majority of people doesn't decode barcodes quickly enough.
"You're phone can't be tricked, remotely, into thinking its paying for something while you sit on the bus next to the guy with the laptop."
It can't be tricked in either way. a) Android phones only enable NFC chips when screen is active b) Asking for a simple confirmation on-screen with details of transactions is just as simple.
"The imaging device needed to read them are cheaper than NFC transceivers."]
Sure, optical scanner is way cheaper than a 3-dollar chip.
Ah. So not looking to make any big purchases, then?
It will be so nice standing in a busy supermarket about to pay only to realize you forgot to charge your phone, won't it?
Or forgot your wallet? That happens to me more often than not having a charged phone. Granted, everyone's mileage will vary with this as with anything else.
"Why would anyone want to pay with a phone?"
Whenever you hand your credit card to a clerk, there is a possibility that it could be scammed. Your card information could go into the retailer's database, which can eventually be hacked, compromising millions of people at once.
Phone payment systems, on the other hand, can be set up so that only a one-time code gets transmitted to the retailer. It can't be used for anything after the one transaction, and there is nothing to store in a vulnerable database.
Phone payment systems, on the other hand, can be set up so that only a one-time code gets transmitted to the retailer. It can't be used for anything after the one transaction, and there is nothing to store in a vulnerable database.
EMV provides a similar one-time code. No phone required.
While this is true, the problem is that it's still often normal to hand your card to a clerk rather than inserting it for a chip transaction. Even where that's not the case, it wouldn't take much for someone to use cameras to gather the information necessary to use EMV cards fraudulently online.
B) Eliminate all the stupid users. This is frowned upon by society.
When I looked into it, the advantages to something like Apple Pay (but not any of these CurrentC-based initiatives) seemed pretty evident:
1) It's significantly more secure than carrying a card in the US. For instance, Apple Pay generates single-use tokens that take the place of credit card numbers. Had consumers been using it when the Home Depot and Target hacks happened last year against the point of sale systems, the hackers would have just gotten a list of consumed tokens that were utterly useless. Likewise, were my phone/card stolen, I'm less likely to notice a missing card than a missing phone, but both of them can be deactivated remotely. On the plus side for the iPhone*, even if I don't deactivate it, it'll fully lock itself and require my lengthy password after 48 hours, meaning that any would-be thieves would have a very narrow window during which to use Apple Pay, and it would be complicated by the fact that they'd have to first reproduce my fingerprints. That alone negates a lot of common thievery. And if we're getting into the sort of state-sponsored thievery that would be good enough to crack into the hardware encrypted Secure Enclave in an iPhone where the credit card info is stored, then Apple Pay is, frankly, the least of my worries.
2) It's more convenient. No more pulling cards out of my wallet, then having to put them back in the right place. No having to navigate to and through apps. No having to manually generate QR code sand the like. No having to count out cash. Less things to carry. I'd love to eliminate the cards I carry from my EDC. I already have my health and car insurance "cards" on my phone. Some US states are permitting digital driver's licenses. And I stopped carrying cash on a regular basis years ago for a variety of reasons. My credit cards are one of the bulkiest things I still carry.
3) It's more private than credit cards. Again, speaking of Apple Pay and the like as opposed to CurrentC-based programs, they're specifically designed to protect your privacy against intrusion by the retailers. Credit card numbers can be captured by retailers and are routinely compiled into large databases that track you and your purchases across all of their chains and subsidiaries, both in-store and online. In contrast, the one-use tokens that Apple Pay uses aren't linked back to your identity or any of your identifying information in any way (though I think I heard that they were about to allow users to opt-in to providing info to specific retailers in exchange for discounts/rewards/customer loyalty type stuff), and because they're single-use, they can't be tracked from one purchase to the next. It strips retailers of their ability to track you via your payment method, though, obviously, cash shares that same advantage.
In contrast, CurrentC-based systems like Chase's are designed by retailers (headed by Wal-Mart) for retailers, since it tracks your location both inside and outside of the stores, requests access to as much information as it can get on your phone (including any health information you store on the phone), and provides identifying information in its QR codes so retailers can easily recognize you.
All of which is to say, paying by phone has some major advantages, but, as with many topics we discuss here on /., the devil is in the details.
* Hypothetically speaking, since I don't actually have an iPhone with Apple Pay.
So far everywhere I've used the chip in my new EMV card, I first handed it to the cashier and they tried to swipe, and it denied it saying I had to use the chip, which every single time has been facing downward and towards me, somewhat out of view of anybody (or anything) besides myself.
Everywhere I've done this, this has been the case at any rate, which includes every walmart, every restaurant, etc. I don't know if that's the standard, but it wouldn't surprise me if the terms of the merchant agreement required it.
Besides, I really *really* doubt somebody would bother with using a camera. The odds of you getting all of the relevant info (which includes the CVV number on the back) is unlikely, and would probably take more time and money to set up than it's worth. Especially when you consider that the only cases where they do an actual investigation on credit card fraud, they look for a bunch of customers that have happened to shop at the same place, and then begin investigating that establishment.
Even if they did get your credit card information, what will it cost you? Oh that's right, the inconvenience of being without your credit card for a week while they send you a new one, because your bank (like most banks) offers zero fraud liability (unless you have truly shitty credit.)
Yup, I forgot about that one, since it's been awhile since I last looked into CurrentC. That's definitely one of the worse things about it, but the whole thing is really just a bad system from the consumer side of things. It places complete trust in retailers (who have shown they're not trustworthy), gives them more access to your data (e.g. health, birthdate, photos), enables them to track you more easily (e.g. location tracking, tracking purchases across multiple cards you have in the app, tracking you between all MCX partner stores), opens you up to new forms of attack (e.g. draining your account, as you mentioned), and, frankly, when I've seen the process demonstrated, it strikes me as being on par with or less convenient than a credit card at checkout.
Given the substantial security and privacy concerns, the lack of additional convenience, and the massive, unwarranted escalation of privileges, I see absolutely no reason to ever consider CurrentC for personal use. If anything, I'm more inclined to view it as a form of adware (given that it can creepily deliver ads to you as you walk around the store based on where you are in the store and your past purchase history) than a viable tool.
The main problem with CurrentC is not the QR-codes, though that is kind of ridiculous and old-timey. The main problem is the direct line into your banking account with no credit card intermediary; which strips you of much fraud protections you enjoy with ApplePay, or even just by swiping plastic. That means instead of being on the hook for no more than $50 in the event of fraud (And many cards waive this these days.), your bank account can simply be emptied. Good luck getting that money back. And even if you succeed, it's still gone for the duration, when you may have needed it for other purchases and bills.
CurrentC needs to die. And the retailers trying to push it need to be made to suffer.
Imagine all the people...
Mobile payment is a solution in search of a problem.