Australian Banks Seek Open Access to NFC Functions of Apple Pay in New Application

[doelcm82]

How about opening access to the NFC hardware, but rejecting any apps that duplicate Apple Pay functionality? This would allow using it to open locks, identify loyalty programs, or other authentication, but protect Apple's investment in Apple Pay.

I don't have much sympathy for the banks. They're free to work with Apple Pay or not. Their choice. They can always use QR codes instead!

 

[kettle]

Who's John Galt?

 

[a.gomez]

exactly - The NFC chip should be open up and people compete. The argument that it will become less secure is stupidity - It totally is a "conspiracy theory". The only reason it is closed is because Money.

 

[canadianreader]

amazing how much they like to knock their heads on the wall over and over and over

 

[fozz3d]

OH FFS!!!!!

So the ACCC released a draft finding against the banks, with a final and full decision next month. And now, the banks re-apply again with just wanting access to NFC. Why are the banks trying to kick a horse while it is already down and dead with this NFC thing. Maybe the banks should ask their customers what they want, instead of making a decision on their own. Not once has my bank asked me if I wanted Apple Pay, and if they keep going on with these shenanigans, I'll move my business to ANZ.

 

[Kaibelf]

exactly - The NFC chip should be open up and people compete. The argument that it will become less secure is stupidity - It totally is a "conspiracy theory". The only reason it is closed is because Money.

And the reason these banks want it open is also Money, as in tracking/selling user data. Apple doesn't want to facilitate that, and no one can force them to provide a product that does it. If the banks want this so badly, they can go build a phone. What's next? Music labels demanding that Apple provide them personal data on all users of Apple Music because it's "for the good of the children?"

 

[Paul Dawkins]

Banks don't have the right to complain about anything. Period.

 

[69Mustang]

Same way it would be compromised if Apple gave iOS decryption keys to FBI. The more people have access to sensitive data, the more probable is the chance of it leaking and being used improperly.

You're proving my point perfectly. I ask how would security be compromised and you essentially give me, "It would be compromised the same way it would be compromised." Then you layer it with a touch of misdirecting FUD by bringing up decryption keys and the FBI. Neither of which have anything to do with NFC. To top it off, you talk about access to sensitive data, leaks, and improper use. That's not it works. That's not how any of this works.

Spicer is that you?

 

[Paul Dawkins]

You're proving my point perfectly. I ask how would security be compromised and you essentially give me, "It would be compromised the same way it would be compromised." Then you layer it with a touch of misdirecting FUD by bringing up decryption keys and the FBI. Neither of which have anything to do with NFC. To top it off, you talk about access to sensitive data, leaks, and improper use. That's not it works. That's not how any of this works.

Spicer is that you?

Do you understand the simple fact that the more people know the information the harder it is to contain it? It's exactly the same case as with FBI. It concerns privacy as well as security.

I'm being tracked enough as it is.

 

[reevans]

This will be interesting to watch. Sounds like the banks are essentially asking for level playing field against Apple. Not sure that's such a bad thing.

Level playing field? OK then, the banks have to let Apple loan money and sell financial instruments and the banks have to come up with a competing phone that they give key aspects of their special engineering to Apple.

 

[CRaSHeR36]

This will be interesting to watch. Sounds like the banks are essentially asking for level playing field against Apple. Not sure that's such a bad thing.

The only bad thing is from a security perspective. Currently Apple holds the only keys to their NFC chip. Opening this up means weakening the chip's overall security. For me that's a VERY bad thing.

 

[69Mustang]

Do you understand the simple fact that the more people know the information the harder is to contain it? It's exactly the same case as with FBI. It concerns privacy as well as security.

I understand you're conflating access to NFC with a whole lot of unrelated generalities. I do understand that much. Throughout this thread, you and a few others have done nothing more than make unsubstantiated supposition regarding "what could go wrong" and the banks motivation to harvest data. This data harvesting thing is laughable. Banks already have a crap ton of information on customers like: where they work, live, whether they own/rent, how much money they have, their investments, what kind of car they drive, etc. So knowing what you buy so they can offer loyalty, mileage, and cash back offers is... just so evil.

 

[chagla]

ah... the joys of artificial limitations imposed on hardware by apple in the name of "security". bluetooth and nfc on Android could do so much more because they are not crippled by Google. by limiting choices, what is it that apple is protecting you from?

 

[mrochester]

This will be interesting to watch. Sounds like the banks are essentially asking for level playing field against Apple. Not sure that's such a bad thing.

Don't the banks already have a level playing field in Android?

 

[macduke]

How exactly would the security of NFC be compromised? I see people saying this all the time, but to date, no one has actually shown how the security would be compromised.

How would it compromise it?

Aren't the inner-working of NFC hardware well understood? What new information would anyone gain from this? They're just taking about the hardware, not Apple Pay.

This document on Apple's site explains it:

NFC controller: The NFC controller handles Near Field Communication protocols and routes communication between the application processor and the Secure Element, and between the Secure Element and the point-of-sale terminal.

During a transaction, the terminal communicates directly with the Secure Element through the Near Field Communication (NFC) controller over a dedicated hardware bus.

As the gateway to the Secure Element, the NFC controller ensures that all contactless payment transactions are conducted using a point-of-sale terminal that is in close proximity with the device. Only payment requests arriving from an in-field terminal are marked by the NFC controller as contactless transactions. Once payment is authorized by the card holder using Touch ID or passcode, or on an unlocked Apple Watch by double-clicking the side button, contactless responses prepared by the payment applets within the Secure Element are exclusively routed by the controller to the NFC field. Consequently, payment authorization details for contactless transactions are contained to the local NFC field and are never exposed to the application processor. In contrast, payment authorization details for payments within apps are routed to the application processor, but only after encryption by the Secure Element to the Apple Pay Server.

From reading that, it seems like Apple has it fairly locked down as it's tied in over a dedicated hardware bus to the secure enclave. They could always add a second NFC chip to handle other types of NFC transactions (and I wish they would for things like unlocking my doors), but Apple put NFC into the iPhone to be used exclusively with their payment system, not as some kind of general radio with an API. The whole thing seems pretty tightly integrated with security being the highest priority, but I may be wrong as I'm no expert in this field. I'm just interpreting what I've read with my limited capacity to understand it.

 

[a.gomez]

And the reason these banks want it open is also Money, as in tracking/selling user data. Apple doesn't want to facilitate that, and no one can force them to provide a product that does it. If the banks want this so badly, they can go build a phone. What's next? Music labels demanding that Apple provide them personal data on all users of Apple Music because it's "for the good of the children?"

Banks get all your personal information when you open an account and in the USA the FEDS know every account you have, how much money is in it and what you do with it is always documented. ApplePay is not a bank, it does not have some special private financial Gate. This has nothing to do with consumer privacy (something that is an illusion anyway)

This is a service on a platform. Apple can provide that service however they want (Apple Pay) but they should not make an artificially hardware limitation (locked NFC) to prevent competition of their own services. it should not matter Apple created the platform.

 

[macs4nw]

Quote: "Open access to the NFC function on iPhone is required to enable real choice and real competition for consumers, and to facilitate innovation and investment in the digital wallets available to Australians. Without open NFC access on iPhone, no genuine competition in the provision of mobile wallets is possible and Apple will have a stranglehold on this strategically important future market."

Translation: We don't care about consumers or competition, we're more pissed about Apple beating us to the trough and would rather keep all the profits to ourselves.

Also we would have liked access to customer profiles and shopping Data which Apple says they don't collect.

 

[robjulo]

NM

 

[mrochester]

Quote: "Open access to the NFC function on iPhone is required to enable real choice and real competition for consumers, and to facilitate innovation and investment in the digital wallets available to Australians. Without open NFC access on iPhone, no genuine competition in the provision of mobile wallets is possible and Apple will have a stranglehold on this strategically important future market."

Translation: We don't care about consumers or competition, we're more pissed about Apple beating us to the trough and would rather keep all the profits to ourselves. Also we would have liked access to customer profiles and shopping Data which Apple doesn't collect, and even if they did, the Secure Enclave won't let us.

It's interesting that the banks seem to be suggesting Apple are the only option on the market. What about Android Pay and their own NFC cards?

 

[flyingspur]

API's, keep it secure Apple! Or I'm out! Took me long enough to jump on apple pay too.

 

[macs4nw]

It's interesting that the banks seem to be suggesting Apple are the only option on the market. What about Android Pay and their own NFC cards?

If they were to win against Apple, that ruling would likewise apply to any other similar payment method.

 

[psycoperl]

I don't think negotiating over Apple pay fees requires access... but that thats just me.

I can see one idea why, to know when the consumer uses it, but Apple can write code for that. The banks don't want that, though.

Faulty argument. My banks already know when I use ApplePay and indicates the transactions with a NFC payment logo.

Apple pay's payment mechanism is through the payment processors (in us see visa and MasterCard) via the already set protocols and non Apple Systems

Once your card is approved, your bank or your bank’s authorized service provider creates a device-specific Device Account Number, encrypts it, and sends it along with other data (such as the key used to generate dynamic security codes unique to each transaction) to Apple. Apple can’t decrypt it, but will add it to the Secure Element within your device. The Secure Element is an industry-standard, certified chip designed to store your payment information safely. The Device Account Number in the Secure Element is unique to your device and to each credit or debit card added. It’s isolated from iOS and watchOS, never stored on Apple Pay servers, and never backed up to iCloud. Because this number is unique and different from usual credit or debit card numbers, your bank can prevent its use on a magnetic stripe card, over the phone, or on websites.

Apple doesn’t store or have access to the credit, debit, or prepaid card numbers you added to Apple Pay. Apple Pay only stores a portion of your actual card numbers and a portion of your Device Account Numbers, along with a card description, to help you manage your cards.

When you pay using Apple Pay in stores
Paying in stores that accept contactless payments with Apple Pay uses Near Field Communication (NFC) technology between your device and the payment terminal. NFC is an industry-standard contactless technology designed to work only across short distances. If your iPhone is on and it detects an NFC field, it will present you with your default card. To send your payment information, you must authenticate using Touch ID or your passcode. ...

After you use Touch ID or enter your passcode on iPhone, or double-click the side button on Apple Watch at a payment terminal, the Secure Element provides your Device Account Number and a transaction-specific dynamic security code. This information is sent along with additional information needed to complete the transaction to the store’s point of sale terminal. Neither Apple nor your device sends your credit or debit card number. Before they approve the payment, your bank or payment network can verify your payment information by checking the dynamic security code to make sure it’s unique and that it’s tied to your device.

Apple takes the cut from the fee that the banks charge the merchants (interchange fees) for providing the secure system of enrolling the cards and the transaction. When you limit the access to a "secure" area you can protect the information and my financial information is something that I want secure. .

 

[SeattleMoose]

We all know banks always have our best interests at heart.

 

[AllieNeko]

I literally don't know how to feel about this:

1. I hate the ACCC so much. You know Dynamic Currency Conversion? The scam where shops try to trick you into letting them do the foreign exchange conversion - at exorbitant rates? The scam where they try to trick you into agreeing (e.g. $xx.xx Amount OK? Yes/No and pushing "no" is how you get charged in the local currency, or having the local currency button be red, or simply printing check boxes on the receipt then ignoring what you picked in hopes you don't notice and dispute the charge) to be conned? Yeah, that one. Well, Visa and MasterCard tried to get in under control and the ACCC stopped them claiming it was anti-competitive to not allow others to do the foreign exchange. Yes, every time you have to deal with that scam you can thank the ACCC. They're looking out for businesses here, not consumers.

2. Fundamentally, I agree with the banks. Hardware should be open. You own it and should be able to do what you want with it. Lack of APIs is one reason I use my Android phone more than my iPhone lately.

3. At the same time, look at bank apps on Android where the bank insists on using their own contactless. At best, they add nothing (Amex Pay - in the UK, Amex doesn't use Android Pay) and it's one more app to manage. At worst, it's a disaster (Barclaycard Contactless Mobile - won't let you use it unless you make it your default payment app, requires you enter your PIN for transactions over £30, doesn't allow transactions over £100 at all). Apple can rightly and fairly argue that forcing banks in to Apple Pay makes for a better customer experience.

No matter who wins this one, there are pros and cons... I just don't know.

 

[Euge]

Banks get all your personal information when you open an account and in the USA the FEDS know every account you have, how much money is in it and what you do with it is always documented. ApplePay is not a bank, it does not have some special private financial Gate. This has nothing to do with consumer privacy (something that is an illusion anyway)

This is a service on a platform. Apple can provide that service however they want (Apple Pay) but they should not make an artificially hardware limitation (locked NFC) to prevent competition of their own services. it should not matter Apple created the platform.

So you're saying that if a company creates a product, both hardware and software, that other entities can request that the government mandate how that product is implemented? Unless it's a monopoly, I don't agree with your statement, "it should not matter Apple created the platform."

You also state that, "they should not make an artificially hardware limitation (locked NFC) to prevent competition of their own services." Why not? If I create a product, what legal precedent forces me to make it available to my competition?

A lot of people in this thread are going on about the security implications. Regardless of whether security is actually a concern, the truth is it's Apple's product and they can implement it any way they want (which you stated). However, I don't see how the government can require them to open up their platform if they don't want to unless they have a monopoly, which they don't.