Australian Banks Seek Open Access to NFC Functions of Apple Pay in New Application

[Alenore]

To people saying Apple should just say no to the banks... Did it ever occur to you that it might be Apple that's asking them to embrace Apple Pay, and they refuse?

Australia size by population is comparable to 3rd largest US state New York or the 7th largest European Union country Romania. Apple should just tell these banks to go fxck them greedy selves rather than compromise their system. There is no reason to allow whatever 3rd rate programmers these cheap ass banks hire to compromise Apple Pay security.

If the 1st rate programmer Apple hires are able to wipe devices clear of their musics, brick iPhones and can't keep iCloud / iMessage up, I wonder what these 3rd rate programmers would do, sure!
/s

 

[Krizoitz]

I literally don't know how to feel about this:
2. Fundamentally, I agree with the banks. Hardware should be open. You own it and should be able to do what you want with it. Lack of APIs is one reason I use my Android phone more than my iPhone lately.

You can do whatever you want with the hardware, but that doesn't mean Apple has to make it easier for you to do so by handing you the keys to its API's. Part of the reason security on the iPhone works in regards to things like TouchID and ApplePay is precisely because ONLY Apple knows how to talk to and from the SecureEnclave. If you open up those API's to anyone, that security advantage vanishes completely and the whole system becomes meaningless.

If you want to use a device that is less secure but allows you to have greater control over the hardware, fine, thats absolutely your choice, and as you've said you can choose an Android device to do so. You are making that tradeoff. But the idea that hardware "should" be open means you are taking away MY choice to select a device that offers greater security in exchange for not accessing certain APIs and system components. Why shouldn't I and other consumers be allowed to make that choice?

Saying "hardware should be open because it gives me greater control" is like saying "all cars should have manual transmissions because it gives me greater control". Yes it does, but not everyone wants or needs that and are willing to cede that control in exchange for other benefits elsewhere. Engineering is about tradeoffs. You want a device that grants you greater control and access to features, I want a device that is more stable and secure. Fortunately there are many companies that offer devices so we can each find one that best fits our needs and wants. But that doesn't mean companies should be compelled to cater to only one audience simply because they demand it. Apple has (rather successfully) decided that their balance between the two competing ideals of flexibility vs. security and stability is preferred by enough people to make it worthwhile to continue. Other companies cater to other balances. Since there is competition in this particular marketplace we don't need gov't stepping in to force it.

 

[69Mustang]

This document on Apple's site explains it:

From reading that, it seems like Apple has it fairly locked down as it's tied in over a dedicated hardware bus to the secure enclave. They could always add a second NFC chip to handle other types of NFC transactions (and I wish they would for things like unlocking my doors), but Apple put NFC into the iPhone to be used exclusively with their payment system, not as some kind of general radio with an API. The whole thing seems pretty tightly integrated with security being the highest priority, but I may be wrong as I'm no expert in this field. I'm just interpreting what I've read with my limited capacity to understand it.

Thanks for providing the link. If I was a lawyer for the banks, I would use that document as a defense exhibit. It clearly shows that Apple can offer access to NFC without any issues. Apple Pay has 5 components: Secure Element (industry standard), NFC Controller (industry standard), Wallet (proprietary), Secure Enclave (proprietary), and Apple Pay Servers (proprietary). For the banks to offer competing services they only need 1 & 2, both of which are industry standard. They don't need Wallet, Enclave, or Apple Pay Servers.

Customers can decide if they want to use Apple Pay or the bank's offering. Would Apple Pay be more secure? Maybe, maybe not. Without knowing what the bank's would offer there's no way to know. Choice

 

[tmiw]

I'm still not sure how this new justification helps the banks. I feel like what Apple should be providing in terms of software is way out of scope and are best resolved through some other mechanism. It'd be like the banks demanding that Samsung provide an API to allow them to use its MST capability before they agree to sign up with Samsung Pay.

 

[MyopicPaideia]

Hmmm, way can't they just launch their own payment services on every other phone except the iPhone - i.e. Android? Apple Pay isn't available on anything but Apple products, so I don't understand how their argument holds any water.

Why do they have to be able to offer their payment solution on an iPhone to provide customer choice? Release your payment solution on platforms that are compatible and let your customers decide what they want to use, based on their smartphone choice.

iOS is only ⅓ of the market in Aussie anyway, the consumer choice argument is a red herring!

 

[rolsskk]

How do they figure Apple has a "stranglehold" as they frazed it, on mobile wallet market?

I think the word you're looking for is 'phrased'.

 

[mpainesyd]

The lawyers are going to earn of lot more out of this fiasco than the fees the banks are complaining about! Apple has every right to keep its propriety software secure. Would the banks be willing to give Apple some of its online transaction software if the tables were turned?
BTW - I started an ANZ credit card account so I could use AP in Australia. I only wish NFC transactions with AP were more widely used overseas. I like the idea that the merchant does not get my credit card details.

 

[2010mini]

I think the word you're looking for is 'phrased'.

Thanks. I posted before proofreading. Fraze is a tool.

 

[69Mustang]

The lawyers are going to earn of lot more out of this fiasco than the fees the banks are complaining about! Apple has every right to keep its propriety software secure.

You're confused. The banks aren't asking for access to Apple's proprietary software or hardware. Their asking for NFC access. Not propritary.

Isn't Apple asking for access to the bank's customers?

 

[SoulCloud]

I didn't know that banks couldn't access purchase information. Can someone please explain how they don't have access to purchase history of their own customers? As far as I knew it's some sort of NFC payment that you already can do in many countries via contactless debit and credit cards. Only thing was that merchants couldn't access customers' data because of two factor authentication. Basically my bank knows where I shop at and what I buy but merchants don't because they don't know my id. This means that they can't target me directly. Correct me if I am wrong until this point. Interesting thing is that they still do through loyalty cards.

I use Wallet and aPay whenever is convenient which is nearly everywhere that accepts contactless because it's safer and faster. I also use loyalty cards. It's not that I am loyal or something but I use them to get certain discounts. And every single of those shopping giants know what I buy. I know because they send me personal discount emails of the products I buy from them. What this fuss is all about then? I suppose it's that fee that they are paying to Apple and from merchants' point of view, they cannot track disloyal shoppers accurately. What if Apple accepts those Australian banks' request and make NFC chip accessible for them to use directly? Apple will lose their per purchase fee, banks won't have to pay that fee to a middleman and profit more and since two-factor authentication is still the thing, merchants won't gain any access to my purchase behaviour unless Apple opens up secure element's data to banks, too. If I got everything correctly, I don't give a f... about their mud-wrestle as long as I get the secure (and private) service.

 

[Seoras]

It's a sign of the times and of how powerful the banks believe themselves to be.

Why do they think they deserve anything at all? You can just complain to the government and demand that a company who has developed a hardware business entirely on its own has to let you use certain features of it.

Apple should say "ok, fine, but you have to turn every 3rd bank branch into an Apple store and your tellers will work for us for free."

 

[kdarling]

This document on Apple's site explains it:
...
From reading that, it seems like Apple has it fairly locked down as it's tied in over a dedicated hardware bus to the secure enclave. They could always add a second NFC chip to handle other types of NFC transactions (and I wish they would for things like unlocking my doors),
...
but I may be wrong as I'm no expert in this field. I'm just interpreting what I've read with my limited capacity to understand it.

All such chip systems have a dedicated line. You see, Apple did not invent any of the NFC Controller/Secure Element concept. The system and chips were already thought out long before Apple started using NFC. (How else do you think contactless payments worked all this time?)

You are right that the whole point of the Secure Element is that it is the only thing allowed to talk over NFC to the payment terminal. This prevents user programs from intercepting and spoofing comms. Also, allowing other NFC applets would not compromise Apple Pay.

-- NFC applets are registered by id:

When you hold a card up to a store terminal, the terminal sends what NFC Application IDs (AIDs) it can support. E.g. MC, Visa, Oyster, etc. The NFC Controller in your device picks out which Secure Element applet is registered for that AID, and shunts further comms to that particular applet in the Secure Element.

The Secure Element can send events (such as "payment complete") to the user application associated with that particular Secure applet, to alert the user.

In other words, an Oyster card id from a terminal would cause the Oyster app to pop up. A Mastercard app id causes the Mastercard (or often, a combination Wallet app such as Apple Pay or Android Pay) to start. Ditto for other bank cards, loyalty cards, travel cards, door swipe cards, you name it.

Each NFC applet only sees comms meant for it. And user apps only see rather bland events meant for them.

-- User's choice for applet to UI binding:

The most important part is that normally the device owner gets to pick what user app launches for each NFC app id. Obviously most of the time there's only one user app (say, for Oyster) so it doesn't matter. BUT for credit cards... where the payment applets are always static for a particular type (MC/Visa/etc)... the choice is really about which WALLET app to open to talk to that particular applet.

In other words, there's no reason why an Australian bank could not have its own branded wallet UI register and use the same MC/VISA/AMEX/etc payment applets that the Apple Pay UI talks to. And of course, they could use TouchId or Iris Scan or a passcode just like other iOS apps for user validation.

Apple pay's payment mechanism is through the payment processors (in us see visa and MasterCard) via the already set protocols and non Apple Systems

Correct. Apple itself does nothing during a contactless payment transaction. All that is handled by the Mastercard/Visa/etc applets in the Secure Element.

-- Registration of an account:

Apple takes the cut from the fee that the banks charge the merchants (interchange fees) for providing the secure system of enrolling the cards and the transaction.

Currently, Apple has a lock on registering user accounts with payment applets in the Secure Element. They did this in order to extract money by selling banks such access to their own customers.

This is an artificial restriction gateway designed to make money, nothing else.

Another option is to do something like what Samsung does: they provision a Visa payment applet that any app can use, and Visa ITSELF acts as the gateway for adding new token account numbers.

 

[snicklesnackle]

How much do Apple take from payments vs regular CC purchases?

 

[Douglas B]

The argument that the banks paid for this infrastructure that allows NFC payments seems irrelevant to me. Apple has come along and effectively said to the banks, 'We can offer your customers a really secure way to use 'your' NFC payments system. A way that will save the banks money lost through fraud of stolen cards. You can pay us a small fee for this service. But you'll save so much more than you would have been forking out for fraud.'

 

[Kroo]

So the banks should be charged money every time someone uses Apple Pay when the banks built the infrastructure themselves? how is that fair, also we already have a NFC payments system with out cards anyway so it's not like the banks have no NFC cards already.

EDIT: I assume you all ain't from Australia, so don't take apples side so quickly.

Have you seen how the bank apps work on android? If you did, you would be so quick to take the banks side because its a dogs breakfast. The banks cannot provide the level of security encryption that ApplePay offers simply because they want to track your purchases. They sell that information off to make money out of you. If it's such an issue, why has the ANZ adopted it without a whining fuss? Answer, money. They want full control of your bank account from start to finish. Remember these are the same banks that are being put on notice to change their wicked ways or they'll face the brunt of a royal commission. Hardly a glowing testimony of their integrity. FYI, I AM from Oz and I'm disgusted with the banks delaying tactics. ANZ, here I come.

 

[Poofy1971]

Left Westpac and went to the ANZ. Haven't looked back.

 

[Kroo]

How exactly would the security of NFC be compromised? I see people saying this all the time, but to date, no one has actually shown how the security would be compromised.

Because of encryption keys. ApplePay works on secure encryption keys between touchID and the NFC chip, it's total hardware and software integration. Not even Apple has access to the encrypted data, and you're asking for the banks to have complete access to that? Seriously?!

If the banks had something even close to ApplePay, perhaps, but they don't. Have you seen how the bank apps and NFC work on android? Half a dozen steps to make a purchase. ApplePay, two at the most. Show me where you can trust the banks not to abuse the data stored using your purchase details.

 

[raghu8912]

If Apple looses this case it will be awful, Apple will loose all that commission they get for processing ApplePay.
Apple should say they will open NFC to Banks but if there is any security issue resulting from opening NFC/Touch ID then banks should foot the bill, this should include damages for the Apple brand due to security breach.

 

[69Mustang]

Because of encryption keys. ApplePay works on secure encryption keys between touchID and the NFC chip, it's total hardware and software integration. Not even Apple has access to the encrypted data, and you're asking for the banks to have complete access to that? Seriously?!

If the banks had something even close to ApplePay, perhaps, but they don't. Have you seen how the bank apps and NFC work on android? Half a dozen steps to make a purchase. ApplePay, two at the most. Show me where you can trust the banks not to abuse the data stored using your purchase details.

If the banks were asking for access to Apple Pay that would be one thing. They are not. They are asking for access to NFC. NFC=/=Apple Pay. Apple Pay uses NFC.

 

[Kroo]

How would it compromise it?

Aren't the inner-working of NFC hardware well understood? What new information would anyone gain from this? They're just taking about the hardware, not Apple Pay.

Is this not similar to giving apps access to the GPS? That doesn't mean they can then hack into your Waze account.

EDIT: That's actually an interesting idea, actually. A lot of you say the banks are wrong for wanting to steal Apple's work, which they don't deserve.

So, just curious, if next year Apple tells Waze and Google they can't use the iPhone's GPS and that only Apple Maps can give you directions, would you all agree that that is a reasonable course of action and Waze should suck it up and build their own phone?

Starwman arguments, please! NFC is just a chip that's a conduit between whatever app uses it to transfer data. Apple have encryption keys that encrypt all data between Touch ID, your CC data and the NFC chip. At no point can that data be accessed. What the banks want is to have control over all that, not just the hardware of NFC but Touch ID and software encryption. Thats a big ask as Apple have gone to great lengths to keep all that out of anyones hands, even Apple don't have access to the encryption keys on your device.

So now can you tell me why Apple should make that process less secure by opening it up to banks? Have you seen how the bank apps work on android? Hopeless, so who wants that as the standard now?

 

[raghu8912]

Mate I don't know about you but if I ran a company and built infrastructure that costs millions then company came and ask to use this infrastructure and charge you for it, would you say yes?

Apple is charging for using NFC & Touch ID, if they don't want to pay for this service then so be it, don't enable Apple Pay, use Card with PIN or Android Pay, what are they loosing by not giving the customers the option of Apple Pay, why go to court to force Apple to open the NFC, let customers vote with their wallet, if people prefer to own an iPhone they will buy an iPhone if people to use NFC for payment then they will either switch banks or use Android Phone.

 

[Kroo]

If the banks were asking for access to Apple Pay that would be one thing. They are not. They are asking for access to NFC. NFC=/=Apple Pay. Apple Pay uses NFC.

I see you're still not understanding it, sod I'll have one last go. The NFC, Touch ID software/hardware encryption are tied together for security reasons. What the banks are asking for will cut that secure process up. Please have read before asking such inane questions.

http://www.pocket-lint.com/news/130870-apple-pay-explained-what-is-it-and-how-does-it-work

 

[raghu8912]

Thanks for providing the link. If I was a lawyer for the banks, I would use that document as a defense exhibit. It clearly shows that Apple can offer access to NFC without any issues. Apple Pay has 5 components: Secure Element (industry standard), NFC Controller (industry standard), Wallet (proprietary), Secure Enclave (proprietary), and Apple Pay Servers (proprietary). For the banks to offer competing services they only need 1 & 2, both of which are industry standard. They don't need Wallet, Enclave, or Apple Pay Servers.

Customers can decide if they want to use Apple Pay or the bank's offering. Would Apple Pay be more secure? Maybe, maybe not. Without knowing what the bank's would offer there's no way to know. Choice

So you are saying open it up, when there is a security breach then determine what to do ?

 

[2010mini]

You're confused. The banks aren't asking for access to Apple's proprietary software or hardware. Their asking for NFC access. Not propritary.

Isn't Apple asking for access to the bank's customers?

They would need access to the secure enclave for that.

 

[Kroo]

Customers can decide if they want to use Apple Pay or the bank's offering. Would Apple Pay be more secure? Maybe, maybe not. Without knowing what the bank's would offer there's no way to know. Choice

Ummm, you don't need to go far, just ask someone with and android phone how their banking apps work with open NFC payments. Crap, thats what it is, and hardly choice. The banks can't even come close to ApplePay in the security sense, and these are the same banks that allow tap and go CC fraud to go on and on without a worry, while that fraud comes out of your pocket by the fees you pay. You trust the banks to have greater care over security than Apple? Oh please!!!