Recently, mobile phones have been pitched to ultimately replace (credit) cards as a means of making (micro-) purchases in the everyday marketplace. Now, this sounds like a great idea in theory, but in practise if this is to become truly commonplace it must become at least secure and well-regulated as the plastic cards it is designed to replace. Mobile phones are convenient: we have them with us all the time, and it therefore does not seem too much of a stretch to extend their functionality to include payments along the lines of ‘swipe your card through an antenna’ (as we already do with OV chip cards). I have compiled a list of sources (see below) on the development of this technology so far to allow its development to be easily monitored. The reason for this is that ABN AMRO Bank and ING Bank recently announced the introduction of contactless payment in the Netherlands. Of course there is a need for banks to catch up in this area or else be left in the dust by the likes of Microsoft, Apple, Google and other telcos. I understand the need.
What is mobile payment?
There are currently three main ways of utilising a smartphone to make payments at a checkout:
– A QR code triggers the payment details of the store, requiring only a PIN to complete the transaction. This is the powerful digital approach used by such companies as Starbucks.
– A bank’s ‘app’ on the smartphone transfers the payment directly via their internet banking service. This can now be done with most Dutch banks after there was a great deal of concern about (e-)security.
– A ‘swipe-type’ system almost identical to an public transportation chip card, whereby you hold your mobile to a screen and your account is debited.
With this third ‘swipe’-type system, the new NFC chip plays a crucial role. The technology for this is very similar to that within an OV chip card, and it is on this method that this article will focus primarily.
There are currently several different, non-interchangeable, technical standards for swiping. For technical information on this, please consult the sources listed below. It is likely to be quite a few years before this market is fully technologically standardized.
Business logic for financial institutions
Why should contactless payment be of interest to banks and credit card companies? On the most fundamental level, the business model for banks and other financial institutions is that ‘swipe’ payment systems make it easier, and perhaps more fun, to make transactions, thereby increasing their frequency. The matter as to who will actually pay for the necessary hardware and for the increasing mass of digital transactions is at this stage not entirely clear to me, although it looks likely that, in the vision of the banks at least, it is to be the business owners themselves. It is in any case clear that, even long after the introduction of this new mode of payment, older systems will also have to stay in place. So, the increase in number of transactions must be substantial to really boost the profitability of financial institutions, at least in Western Europe.
Interestingly, mobile payments are actually a natural continuation of the classic bank business model, transactions and ‘traffic’ to a core data centre driving the banks earnings, and providing a new lease on life to an old system. Nevertheless, there are some significant differences between mobile payments and previous financial technological innovations. Earlier inventions directly replaced old money and concrete financial administration with an electronic system, while the new system proposes a displacement of existing electronic infrastructure, in a sense actually destroying capital.
What problems are solved by contactless payment?
Study of the literature on this topic reveals that this topic has not yet been fully explored. Two main benefits of the technology have been identified, or claimed, the first being the fact that such payments promis to be easier and more ‘fun’, and the second being the advantages gained from the use of (big) data extracted for profiling and advertising purposes. The links to CRM and customer profiling are exciting and interesting to entrepreneurs and banks alike, although the associated practicalities are disconcertingly vague. In addition to this, the legal grey area surrounding customer privacy looms threateningly over the whole issue. Even when doing something as simple as typing “mobile payment” into a Google search, please notice that no literature is revealed on user convenience. It would almost have the reader believe that user convenience comes first and foremost among issues of relevance to developers of the technology.
Of even more concern is the fact that recent research indicates that contactless card payment is not, after all, as secure as its providers would like as far as it is based on near field frequencies (NFC). Technology has already been produced which is able to intercept passive NFC signals, and even a simple laptop is sufficient to pick up data sent over NFC from as much as 13 metres away, discovering such things as:
– Name, Adress, City
– Card numbers and expiration date
– Payment histories
Ultimately, the question rests as to whether hacking mobile payment devices will provide enough incentive and will be sufficiently accessible to enter the mainstream. ‘Hackito ergo sum’. Incidentally, most NFC-enabled smartphones are at this time vulnerable to this sort of attack. No spyware, no firewalls.
An underlying problem is that in general the (formal) responsibility for the transmission of (secure) information via mobile phones is not clear. This ambiguity also transfers to mobile payments. Who is responsible for the data when being transmitted? The service provider? Or the one who pays? Ideally, this needs to be determined before widespread implementation.
Do we know what we are doing?
Based on the information I have access to at present, from an e-security perspective at least, it seems a not yet mature technology is being implemented. At the same time it seems that business owners of payment points, not banks, will pay more and more as banks are digitally plundered by techniques such as the ‘mobile skimming’ mentioned above. This does cause me to wonder sometimes whether those responsible within financial institutions and the Financial Markets Authority (which oversees such matters as formal payments) know anything about any of this. Furthermore, are the owners of payment points aware that they will soon have to pay even more to banks and technology providers?
There is a lot of thunder around Europe at the moment about too vulnerable banks that are “too big to fail”. We have already paid a high price for this dependence, and as a result alternatives are thankfully beginning to emerge, such as crowdfunding and social banking. The question I would like to pose here is whether we as a society really need a new development such as contactless payment, which appears as if it will return us all once more to dependence upon large financial institutions. Is this not against the social trend? From the perspective of ‘risk management’ (a term well-known in banking circles), is this really desirable right now?
Of course swipe payments are a promis and aesthetically pleasing, enjoyable to use, but should we not first explore avenues that are less security-crucial, such as mobile access cards? At the point at which personal and banking information is being exchanged, the basic technology must be stable and secure, and it must be clear, in the event that something goes wrong, with whom the responsibility lies. This is currently not the case.
http://www.paypass.com/performance_insights.html (march 2011, Euro 92 mio)
Hacking the NFC credit cards for fun and debit ; )] by Renaud Lifchitz
MasterCard and Visa are currently releasing new contactless credits cards worldwide. Payments can become faster, simpler and easier but are they becoming more secure? We have worked on such cards and found nearly no security. Partial card cloning and unsollicited payments are possible. Slides – http://2012.hackitoergosum.org/blog/wp-content/uploads/2012/04/HES-2012-rlifchitz-contactless- payments-insecurity.pdf
POC code – http://code.google.com/p/readnfccc/
Video of talk – http://www.ustream.tv/recorded/21805507
Banken want to shift to risk towards the business:
Examples of negative nfc publicity:
NFC in the Netherlands: