I think this might be too late, all the banks have launched contactless cards themselves. It may be convenient to have them in your phone (irregardless of any security risks), but I mean if you already have a contactless card, what's the point?
In Poland, people use NFC (PayPass) for years now. People use it everywhere, from little kiosks or local grocery shops to major chain stores. You can even buy yourself a public transportation ticket by swiping your card against a machine inside the tram or bus in some cities.
To pay with your phone, some banks were issuing little NFC stickers that people put on their phonecases. It worked perfectly. Android Pay could have been a really great thing - had it launched 5 years ago.
The NFC stickers are not the same thing though. Commbank in Australia does both (paypass in their own app and a sticker).
The sticker is always exposed, works with one account only, and doesn't even require authentication. With the app, I can select which account to use, see how much money I have on it, then authorize with pin and pay. I know some people may prefer the sticker only, but I find the app much better.
but from a consumer perspective who cares? you're protected either way. i prefer to carry a single card vs my phone if i'm running in the rain and want to stop for a drink. other times if i forget my wallet the phone is great, but it's totally equal as a user.
> contactless card are less secure than an tokenized mobile app because contactless card send you credit card number with NFC without encryption.
Only in the United States. In mainland Europe NFC has always used EMV authentication between terminal. Also as an aside: a european credit card's number alone is kinda useless.
I'm not quite sure that's the case. Using an NFC app on my phone, I was able to get my credit card's number without any issue. Also had the expiry date and a list of transactions.
> I'm not quite sure that's the case. Using an NFC app on my phone, I was able to get my credit card's number without any issue. Also had the expiry date and a list of transactions.
If your card speaks MSD over NFC then it will provide that information. That's up for your bank. My cards not do it and as such I cannot use NFC in many places in the US.
I'd love to be able to just carry around my phone and not a separate wallet. Particularly if I'm going clubbing in tight trousers. Getting a card out of a wallet is a fiddle compared to just tapping a phone, and a card loose in my pocket feels unsafe.
I agree, I find Apple Pay to be far more fiddly to use than contactless. However, one advantage of the phone based payments is that they can have higher usage limits. Contactless is only allowed up to £40 (I think?) in the UK, whereas banks might allow larger payments with the security of a fingerprint-based payment.
Using a phone instead of a card isn't the end of the journey, it's just a step somewhere (early) along the way. As people get used to paying for stuff using a powerful connected computer instead of a card all sorts of new possibilities will open up.
I used to organise my wallet so when open one side only had one card in (to prevent card clash), but I risked things falling out.
My phone is normally in my hand anyway so using it is much more convenient. The only problem is it's takes 1/2 a second longer, and you don't want to look like an idiot trying to use your phone in rush hour.
I wish there was a quick way to launch it when the phone was open as sometimes double tap doesn't work and you open the phone, then you have to lock it again, double tap, touchID. I would use my watch, but then you have to look like more of an idiot rotating your arm and leaning over to the reader.
I'm glad they have finally launched in the UK. My GF is ALWAYS leaving the house without her bag and with no money, but she always has her phone on her. At least now there is less chance of her needing money and not having it on her. I do wish they had support from more banks though.
> I've had a preview of the Android Pay app, and if anything it is even simpler to use once you have uploaded your cards to the app.
That'll be amazing. I just got an Apple Pay enabled iPhone and I'm loving it. Used it on the London Underground, with the Starbucks app, at McDonalds, and it's wonderful.
Gone are the days of having to fish out all my cards from my wallet to find the card I want to pay with.
If Android Pay can deliver an as-good or better experience, fantastic. This is good news for everyone.
I used to get really frustrated when my Oyster card or contactless credit card fail on first read. Didn't happen often, but often enough to annoy me. Has yet to happen with Apple Pay, but I've not been using it anywhere near as long. It's definitely quicker to read Apple Pay than it is to read my Amex.
Well, it doesn't work for me at the moment (Nexus 6P). I'm getting "Android Pay can't be used" message when trying to add a card. It's worth noting that my bootloader is unlocked and the phone is rooted (stock ROM). It will be a shame if it requires phone not to be rooted, because as much as I'd like to use Android Pay - I like my ad blocker better.
Since there is no secure element on most android phones it would not be permissible to use android pay on it. I'm sure there are ways to trick the check but it is not supposed to work.
This is almost certainly because it is rooted, IMHO. All the serious banking/payment apps I have seen won't run on a rooted phone as they can no longer be sure of the integrity of the device.
This turned out to be because I also had the HSBC app installed, and there is a global setting to choose which contactless provider to use. Helpful error message.
"...although Barclays customers will not be able to use Android Pay. That is because the bank is going it alone, making contactless payments available through its own mobile banking app."
Replacement of the Oyster card would be pretty cool, especially for tourists. Assuming they can still calculate the smartest price at the end of the day.
How secure is NFC in general? How are these payment systems protecting against someone setting up a fake system to read out CC data?
> Replacement of the Oyster card would be pretty cool, especially for tourists. Assuming they can still calculate the smartest price at the end of the day
It already works as an oyster replacement as it's the same technology for contactless cards. Contactless cards get the same fare caps as oysters
Contactless cards have been universally accepted on the London transport network for quite a while – this includes Apple Pay, and I assume Android Pay too.
Contactless/NFC has no security in the sense that it requires no interaction in order to charge a card. Security is provided by bank guarantees to refund fraudulent transactions, capping transactions to low-ish values, and requiring a PIN-authed transaction every 5 contactless transactions. Card data cannot be extracted from a transaction in this way, and fraudulent terminals are unlikely to appear due to the need for merchant accounts and the associated paper trail.
In the case of Apple Pay and presumably Android Pay, there is the additional requirement that transactions are authenticated on the device (TouchID / passcode for Apple Pay).
I find these products like Apple Pay and Android Pay to be too old-school, doubling down on the dependence on banks and credit cards. They need to go ahead and load funds into the app like a digital wallet.
This is something a company I used to work for tried to do and failed. I do agree thats the way to go but there are some obstacles we didn't manage to overcome:
1. trust - will people trust their money to be deposited in the digital wallet? unless you have a massive banking institution behind you the public might not be so eager to use your system.
2. you need a convenient way to transfer money to digital wallet. if that method is a credit card the whole system breaks down because someone has to absorb the cc transaction fee.
3. banks have good relations with Visa/Mastercard/Amex and cause friction when you have to deal with them for a system that takes away profits from the credit card companies.
Yeah, maybe they're taking off in India and China because of a "leapfrog" opportunity. For example, pre-paid digital wallets are used to pay for ride-sharing, whereas in the U.S people just use the same card that they already use often at CVS, Starbucks etc.
The other aspect that I think a lot of financial innovation will depend on is a "killer app". In India it's been phone 'recharge'--most people have prepaid phones, so you can add balance using the mobile wallet app instead of going out to find a nearby shop or kiosk to do it for you. And in the case of China, WeChat integrates so many services that it makes sense to have a wallet integrated into its many offerings. In the U.S, Venmo is instructive too, about focusing on a product rather than a method or technology.
The last coffee I bought before leaving Shanghai was difficult because the register was nearly empty. Every customer in line in front of me had payed with their phone. While I waited, I watched every customer behind me do the same.
Even African economies have more extensive mobile payments (though I don't envy the motivation).
And it's a very dangerous situation. It will make the cash disapear more, and more, meaning big entities will control money more and more and individuals with a have smaller and smaller margin to build things that are not aligned with them. If (when) anything goes wrong, citizen will have no safety net.
54 comments
[ 4.9 ms ] story [ 104 ms ] threadTo pay with your phone, some banks were issuing little NFC stickers that people put on their phonecases. It worked perfectly. Android Pay could have been a really great thing - had it launched 5 years ago.
The sticker is always exposed, works with one account only, and doesn't even require authentication. With the app, I can select which account to use, see how much money I have on it, then authorize with pin and pay. I know some people may prefer the sticker only, but I find the app much better.
Tokenized app send one time credit card number.
http://www.planetbiometrics.com/creo_files/upload/article-fi...
http://arstechnica.com/business/2015/05/android-pay-will-emb...
http://www.telegraph.co.uk/finance/newsbysector/retailandcon...
Only in the United States. In mainland Europe NFC has always used EMV authentication between terminal. Also as an aside: a european credit card's number alone is kinda useless.
https://twitter.com/edent/status/724639270284189696
True, it didn't have the CV2(?) number on the back - or my address - but enough to make me buy an NFC shielded wallet.
If your card speaks MSD over NFC then it will provide that information. That's up for your bank. My cards not do it and as such I cannot use NFC in many places in the US.
My phone is normally in my hand anyway so using it is much more convenient. The only problem is it's takes 1/2 a second longer, and you don't want to look like an idiot trying to use your phone in rush hour.
I wish there was a quick way to launch it when the phone was open as sometimes double tap doesn't work and you open the phone, then you have to lock it again, double tap, touchID. I would use my watch, but then you have to look like more of an idiot rotating your arm and leaning over to the reader.
That'll be amazing. I just got an Apple Pay enabled iPhone and I'm loving it. Used it on the London Underground, with the Starbucks app, at McDonalds, and it's wonderful.
Gone are the days of having to fish out all my cards from my wallet to find the card I want to pay with.
If Android Pay can deliver an as-good or better experience, fantastic. This is good news for everyone.
I used to get really frustrated when my Oyster card or contactless credit card fail on first read. Didn't happen often, but often enough to annoy me. Has yet to happen with Apple Pay, but I've not been using it anywhere near as long. It's definitely quicker to read Apple Pay than it is to read my Amex.
Using latest Android pay app from APKMirror, nexus 6p and HSBC card I've made my first Android pay purchase ever.
That coffee tasted oh so sweet!
http://www.xda-developers.com/google-security-engineer-expla...
(PS there are workarounds)
This is because beta versions don't pass safetynet checks.
I suspect the phone rooting block is more for protecting their proprietary client-side code.
[0] https://i.imgur.com/Pkx4SRP.jpg
Barclays being one of the major banks in the UK
How secure is NFC in general? How are these payment systems protecting against someone setting up a fake system to read out CC data?
It already works as an oyster replacement as it's the same technology for contactless cards. Contactless cards get the same fare caps as oysters
Contactless/NFC has no security in the sense that it requires no interaction in order to charge a card. Security is provided by bank guarantees to refund fraudulent transactions, capping transactions to low-ish values, and requiring a PIN-authed transaction every 5 contactless transactions. Card data cannot be extracted from a transaction in this way, and fraudulent terminals are unlikely to appear due to the need for merchant accounts and the associated paper trail.
In the case of Apple Pay and presumably Android Pay, there is the additional requirement that transactions are authenticated on the device (TouchID / passcode for Apple Pay).
Two links about this (first link is by me) (1) https://medium.com/@firasd/mobile-wallets-in-india-growth-op... and (2) http://adage.com/article/opinion/china-s-mobile-payments-war...
The other aspect that I think a lot of financial innovation will depend on is a "killer app". In India it's been phone 'recharge'--most people have prepaid phones, so you can add balance using the mobile wallet app instead of going out to find a nearby shop or kiosk to do it for you. And in the case of China, WeChat integrates so many services that it makes sense to have a wallet integrated into its many offerings. In the U.S, Venmo is instructive too, about focusing on a product rather than a method or technology.
Even African economies have more extensive mobile payments (though I don't envy the motivation).
We're behind on this one.