Australian Banks Seek Open Access to NFC Functions of Apple Pay in New Application

[kdarling]

Because of encryption keys. ApplePay works on secure encryption keys between touchID and the NFC chip, it's total hardware and software integration. Not even Apple has access to the encrypted data, and you're asking for the banks to have complete access to that? Seriously?!

You're confused. Apple Pay works with passcode as well. TouchId is simply a shortcut for passcode entry.

Show me where you can trust the banks not to abuse the data stored using your purchase details.

The banks still get all the same purchase details that they always did. Nothing has changed in that respect.

Well, except that Apple demands that the banks send back Apple Pay purchase statistics. (That's so Apple can continue to claim they don't capture any info during a transaction. Instead, they get the banks to send aggregate info back later on.)

It's the merchants who no longer see the name and real account number pass by. Of course, if you use a loyalty card they can instantly associate the token account number with you.

 

[iMi]

The only bad thing is from a security perspective. Currently Apple holds the only keys to their NFC chip. Opening this up means weakening the chip's overall security. For me that's a VERY bad thing.

I am not buying the security argument. Banks have inherent need for security and have already developed technologies and processes designed to protect consumers and financial institutions alike. All they are asking for is access to the technology inside the phone. Their argument makes sense.

Imagine if Apple made a computer with a bluetooth technology that can only be used with Apple's own bluetooth devices. And you had to pay a fee to Apple each time you used said connection. That's basically what Banks are experiencing with Apple Pay. The hardware is locked down, so they can't develop competing payment solutions and they are forced to use Apple's pay-to-play scheme. They are saying - let us access the hardware that's inside to level the plan and encourage competition in this emerging market.

It's kind of like having Visa. Sure, banks that want to issue credit cards will need to pay Visa a fee to use their payment processing system, but they can also shop around and use Master Card or America Express, and so on. I think that's largely the argument. Technology changes things and now that piece of plastic we all carry around is being embedded into phones as NFC chip. Laws have to catch up.

 

[Small White Car]

What the banks want is to have control over all that, not just the hardware of NFC but Touch ID and software encryption.

So now can you tell me why Apple should make that process less secure by opening it up to banks?

Well that's not what the document from the banks said.

I'm willing to believe that they're not being truthful, but them lying to me does not mean I'm making a strawman argument. It means I've been lied to.

 

[a.gomez]

So you're saying that if a company creates a product, both hardware and software, that other entities can request that the government mandate how that product is implemented? Unless it's a monopoly, I don't agree with your statement, "it should not matter Apple created the platform."

You also state that, "they should not make an artificially hardware limitation (locked NFC) to prevent competition of their own services." Why not? If I create a product, what legal precedent forces me to make it available to my competition?

A lot of people in this thread are going on about the security implications. Regardless of whether security is actually a concern, the truth is it's Apple's product and they can implement it any way they want (which you stated). However, I don't see how the government can require them to open up their platform if they don't want to unless they have a monopoly, which they don't.

So you think Samsung should be able to make SamiMusic and limit the headphone jack to AppleMusic on a Galaxy Phone? Microsoft can limit the WiFi card to iTunes on the Surface Pro? Google can block the Bluetooth chip to all map services except GoogleMaps on the Pixel? Non of them as individuals hardware makers have a monopoly in phones or tablets.

You also give Apple rights because they created "both hardware and software" but Apple did not create NFC, the CP terminals or the entire banking system it operates on (and ApplePay would be useless without). Nobody ever blocked any other company (including Apple) from that network (Bank of America was building in 1997) or the NFC tech (SONY help create in 2002). But now you think Banks have no right to complain when Apple uses the tech and cuts them out?

And yes, The government can to an extent dictate rules to your business. Because in the end Apple (and any other company) are using the federal market space a country created and maintains. You also benefit from access to the federal services that protect you and that business.

 

[snoozy355]

The tl;dr is pretty simple:

Aussie banks are used to monopolising the banking system here, including credit cards and home loans. Lots of $$$.
Along comes Apple who want to deny third party access to their NFC-payment device, and the banks cry "monopoly!"

If this situation was reversed, the banks here lock it down from competitors and wire it so that they were the only provider giving access (and making a few cents from every transaction.)

 

[AllieNeko]

So you think Samsung should be able to make SamiMusic and limit the headphone jack to AppleMusic on a Galaxy Phone? Microsoft can limit the WiFi card to iTunes on the Surface Pro? Google can block the Bluetooth chip to all map services except GoogleMaps on the Pixel? Non of them as individuals hardware makers have a monopoly in phones or tablets.

You also give Apple rights because they created "both hardware and software" but Apple did not create NFC, the CP terminals or the entire banking system it operates on (and ApplePay would be useless without). Nobody ever blocked any other company (including Apple) from that network (Bank of America was building in 1997) or the NFC tech (SONY help create in 2002). But now you think Banks have no right to complain when Apple uses the tech and cuts them out?

And yes, The government can to an extent dictate rules to your business. Because in the end Apple (and any other company) are using the federal market space a country created and maintains.

Verizon used to actually do this, the GPS in early Verizon GPS phones was only accessible to Verizon's own VCast navigation app that was ungodly expensive. They, too, claimed security. It's amazing how people will defend it when it's Apple doing it...

You can do whatever you want with the hardware, but that doesn't mean Apple has to make it easier for you to do so by handing you the keys to its API's. Part of the reason security on the iPhone works in regards to things like TouchID and ApplePay is precisely because ONLY Apple knows how to talk to and from the SecureEnclave. If you open up those API's to anyone, that security advantage vanishes completely and the whole system becomes meaningless.

No, no it doesn't. For one, I'm not suggesting the secure element be opened up. Competitors could use a cloud-based host card emulation system, like how payments work on Android. There's really no need at all to use a hardware secure element, the main reason Apple does is precisely to make this claim.

I'm still not sure how this new justification helps the banks. I feel like what Apple should be providing in terms of software is way out of scope and are best resolved through some other mechanism. It'd be like the banks demanding that Samsung provide an API to allow them to use its MST capability before they agree to sign up with Samsung Pay.

As I noted in my post above, I'm very conflicted on this one, but it's amazing how many people will defend Apple on this. No one, except the most harded Verizon fanboys, defended their GPS restrictions. That said, in this case... there's no true good guy. The banks that have made their own payment apps on Android have came up with some pretty awful results (not all of them, Amex Pay is fine. Barclaycard Contactless Mobile is literally unusable rubbish).

How much do Apple take from payments vs regular CC purchases?

Apple takes a share from the bank and network profit, which is confidential information. I've heard rumours of 30 basis points, but if true, is likely US only. Here in the UK, interchange is capped at 30 basis points for credit and 20 basis points for debit, and I'm sure Apple isn't getting all/150% of it - Merchants get charged the same as for any other contactless purchase, which is a card-present rate, and sometimes slightly cheaper than dip/swipe.

The argument that the banks paid for this infrastructure that allows NFC payments seems irrelevant to me. Apple has come along and effectively said to the banks, 'We can offer your customers a really secure way to use 'your' NFC payments system. A way that will save the banks money lost through fraud of stolen cards. You can pay us a small fee for this service. But you'll save so much more than you would have been forking out for fraud.'

Contactless is already incredibly secure. Apple Pay isn't offering that much. It's far more secure than swiping, which was super common in America. But all Apple Pay is offering for contactless is a second authentication factor, which helps, but not a ton.

They would need access to the secure enclave for that.

No. Host-based card emulation using payment data in the cloud.

So you think Samsung should be able to make SamiMusic and limit the headphone jack to AppleMusic on a Galaxy Phone? Microsoft can limit the WiFi card to iTunes on the Surface Pro? Google can block the Bluetooth chip to all map services except GoogleMaps on the Pixel? Non of them as individuals hardware makers have a monopoly in phones or tablets.

You also give Apple rights because they created "both hardware and software" but Apple did not create NFC, the CP terminals or the entire banking system it operates on (and ApplePay would be useless without). Nobody ever blocked any other company (including Apple) from that network (Bank of America was building in 1997) or the NFC tech (SONY help create in 2002). But now you think Banks have no right to complain when Apple uses the tech and cuts them out?

And yes, The government can to an extent dictate rules to your business. Because in the end Apple (and any other company) are using the federal market space a country created and maintains.

I think your conclusion is right, but your argument is wrong. The banks don't have as much right to complain, as I see it, as consumers do. It isn't the bank's hardware, after all, it is the consumer's. And we should, fundamentally, be demanding more open platforms.

 

[macbeta]

Australian banks are cashed up wankers. They are so far up their collective ass', they are just ****** because they don't have to total control.

 

[69Mustang]

I see you're still not understanding it, sod I'll have one last go. The NFC, Touch ID software/hardware encryption are tied together for security reasons. What the banks are asking for will cut that secure process up. Please have read before asking such inane questions.

http://www.pocket-lint.com/news/130870-apple-pay-explained-what-is-it-and-how-does-it-work

Kroo, it's you who lack the understanding. Banks aren't asking for access to Apple Pay. They want access to NFC. They're not the same thing. NFC and Touch ID aren't tied together. Apple Pay can be used with a pin code, so it's definitely not tied to Touch ID. Touch ID is an option. Maybe you should read Apple's explanation of what Apple Pay is instead of Pocket Lint's version. Regardless, it's immaterial what Apple Pay does or how it works since the banks aren't asking for access to it. Apple Pay has 5 parts. 3 of them are proprietary to Apple. 2 aren't. Banks are asking for access to the 2 that aren't: the NFC Controller and the Secure Element.

edit: it looks like the don't even need access to the secure element, so they only need NFC access.

So you are saying open it up, when there is a security breach then determine what to do ?

The NFC Controller and Secure Element have been used for years with no issue. Why are you assuming there will be an issue if the banks have access.

They would need access to the secure enclave for that.

They would need access to the secure enclave if they wanted to piggyback on Apple's implementation. They don't need access to the secure enclave to have access to NFC and the Secure Element. Apple routes the transaction through the enclave. The bank wouldn't need to that. Apple Pay uses NFC, it isn't NFC.

Ummm, you don't need to go far, just ask someone with and android phone how their banking apps work with open NFC payments. Crap, thats what it is, and hardly choice. The banks can't even come close to ApplePay in the security sense, and these are the same banks that allow tap and go CC fraud to go on and on without a worry, while that fraud comes out of your pocket by the fees you pay. You trust the banks to have greater care over security than Apple? Oh please!!!

Whether or not a banking app is crappy, inelegant, or smells like corn chips is not relevant to giving customers a choice. If they make a crappy implementation then no one will want to use it. If they make a decent one, some will want to use it. Some will want Apple Pay. It's having the option to choose, that's what's important.

 

[ekwipt]

Apple would rather never offer Apple Pay in Australia than compromise the security of the entire system globally. Australia is a small market by comparison. This will go absolutely nowhere for the banks involved and is a huge waste of time.

I'd personally rather have a secure phone as well, the banks already have good apps and there own credit cards... I'll just swap my bank account to ANZ who already offer the service. The thing is though the .18c Apple. charge per transaction. I'm worried that that banks and businesses will just pass this on to consumers. A small coffee is already $3.50-$4 in Sydney, we already paying exuberant prices for all of our goods. I also hate the whole Apple tax thing here. We pay stupid prices for everything

 

[truthertech]

So the banks should be charged money every time someone uses Apple Pay when the banks built the infrastructure themselves? how is that fair, also we already have a NFC payments system with out cards anyway so it's not like the banks have no NFC cards already.

EDIT: I assume you all ain't from Australia, so don't take apples side so quickly.

These banks didn't build anything. They offer credit card systems that the major corporations like American express, Visa, etc., built. Apple, on the other hand, spent billions of dollars building a platform to bring vetted customers securely with almost zero fraud expense, to the banks so the banks can make more money and offer a free service to its customers. For that, Apple is paid 15 cents on every $100 purchase, or for that cup of coffee at Starbucks, less than a half cent. All the studies show Apple Pay increases credit card usage, eliminates most fraud expense, and is seen as a huge benefit to customers. Thus, the banks make out huge with Apple Pay and that's why thousands of them have jumped on board around the world.

 

[wbeasley]

Apple have never said they have NFC, unlike other systems that tout it as a feature. They have it as its a necessity to access the terminal for Apple Pay. SO one could argue its not even a feature to ask access to.

I would love it if Apple would let you link bluetooth speakers via NFC. It works well on Sony speakers and Android phones. But if it ain't happening, for whatever reason Apple wants to use, it ain't happening. Should I get a lawyer to whinge for me? What if an Android phone shows different home screen info and I want it on my iPhone? They both have screens. Should I try to force Apple into doing it on the grounds the hardware support is built in?

If an idea is popular enough, Apple will put it in at some stage. These banks are purely after fee-free access.

I recently had a "discussion" with ANZ (one of the Apple Pay banks). All they care about is making record profits. Bugger doing the right moral thing. They changed the type of card I used to a Visa card, without consent, which affected how the card was viewed at stores. Only after I contacted them did they offer to waive two years of fees. Wouldn't even entertain looking back through their records to see how many years they had been skimming my account. "We can change the terms and conditions" was the answer I received from the uppity customer complaints person. I'm sorely tempted to change banks. I still might. Any business that treats their customers like that deserves us to vote with our feet. Contempt can work both ways and banks need to realise word of mouth on social media let's anyone share their tale with potential customers. Do a search online and you'll find other customers who feel similarly ripped off by ANZ and their monthly account keeping fees (with suggestions of which banks offer accounts without fees). I have banked with them for 16 years and yeah I'm pretty unimpressed at the moment.
[doublepost=1487028509][/doublepost]

I'd personally rather have a secure phone as well, the banks already have good apps and there own credit cards... I'll just swap my bank account to ANZ who already offer the service. The thing is though the .18c Apple. charge per transaction. I'm worried that that banks and businesses will just pass this on to consumers. A small coffee is already $3.50-$4 in Sydney, we already paying exuberant prices for all of our goods. I also hate the whole Apple tax thing here. We pay stupid prices for everything

Have a look or talk to merchants who will tell you that contactless payments (PayWave) have huge fees attached. For the convenience of just tapping either the customer or the business is getting slugged. Aldi charges your debit card like it is a credit card 0.5% surcharge. Swipe it and type your PIN and you won't get charged for using your Savings account. The arrogant banks are laughing all the way to the ... groan ... bank.

 

[alexgowers]

As far as I understand it. Banks want user data when apple pay is used so they can track people as they do with all other purchase methods. They sell the data to 3rd parties and make money off it. The excuse of competition and access to APIs is just a rouse to get user data or reduce fees apple takes on apple pay payments.

I have zero sympathy for banks, that restrict access to your money. They set withdrawal limits when clearly it doesn't benefit the customer, they refuse to implement new payment methods that are more secure! They loan money to influential people so they can buy companies and assets that then put that company in massive debt as they transfer over that purchase fee! The make bad trades and deals, charge for their services and offer rewards based on unachievable requirements. Banks have for a long time been dodgy and put pressure on governments for bailout when things go bad. I'm of the opinion they need less control not more. This case should be thrown out and it has nothing to do with it being an apple based case.

 

[AllieNeko]

Have a look or talk to merchants who will tell you that contactless payments (PayWave) have huge fees attached. For the convenience of just tapping either the customer or the business is getting slugged. Aldi charges your debit card like it is a credit card 0.5% surcharge. Swipe it and type your PIN and you won't get charged for using your Savings account. The arrogant banks are laughing all the way to the ... groan ... bank.

Umm? No, at least here in Europe there are discounts for taking contactless sometimes (incentives to upgrade), on small transactions.

Also, Aldi doesn't charge a credit card surcharge. If they did, I'd avoid them like the plague. At least here in the UK, VERY few places charge card surcharges. Mostly small/local businesses. Happy Lemon charges 50p for under £5. I love Happy Lemon, and still go there because there's nothing like it, but it's daylight robbery. For comparison, I was just at a Happy Lemon in Manila, PH last month. For my favourite drink, that's £4.50, it was 100 PHP (about £1.50, or 1/3 of the price). Now, they don't take cards at all in the Philippines. But for THREE TIMES THE PRICE they charge in other markets, they can afford to take cards with no fee.

Another HORRIBLE offender is a new shop in Westfield, called Typo. They're an Australian stationary chain with super cute things - and very high prices that easily cover any cost of taking cards. When I got to the checkout, I saw a sign advising there is a 3% surcharge on American Express. NO WAY, I put my items back and explained that if they don't want to take Amex, fine, that's their choice. But a surcharge at the till? NOT A CHANCE you will EVER get my business.

Surcharges are incredibly nasty additional revenue streams with little or no connection to actual costs. One, they're usually set higher than cost (taking Amex does not cost anywhere near 3%). Two, they assume handling cash is free - it isn't, it's usually one of a company's biggest costs. Taking cards saves shops money. These fees are just nasty, and I, for one, avoid the (thankfully rare) places that charge them.
[doublepost=1487029577][/doublepost]

As far as I understand it. Banks want user data when apple pay is used so they can track people as they do with all other purchase methods. They sell the data to 3rd parties and make money off it. The excuse of competition and access to APIs is just a rouse to get user data or reduce fees apple takes on apple pay payments.

Reduce fees, banks still get the data it's the shops that don't get it anymore. Banks need it to charge you!

But, they're right. For the wrong reasons, and I hate bank apps (they're usually rubbish, and at best are no better). They're right because more open hardware is something we should all demand.

 

[69Mustang]

Umm? No, at least here in Europe there are discounts for taking contactless sometimes (incentives to upgrade), on small transactions.

Also, Aldi doesn't charge a credit card surcharge. If they did, I'd avoid them like the plague. At least here in the UK, VERY few places charge card surcharges. Mostly small/local businesses. Happy Lemon charges 50p for under £5. I love Happy Lemon, and still go there because there's nothing like it, but it's daylight robbery. For comparison, I was just at a Happy Lemon in Manila, PH last month. For my favourite drink, that's £4.50, it was 100 PHP (about £1.50, or 1/3 of the price). Now, they don't take cards at all in the Philippines. But for THREE TIMES THE PRICE they charge in other markets, they can afford to take cards with no fee.

Another HORRIBLE offender is a new shop in Westfield, called Typo. They're an Australian stationary chain with super cute things - and very high prices that easily cover any cost of taking cards. When I got to the checkout, I saw a sign advising there is a 3% surcharge on American Express. NO WAY, I put my items back and explained that if they don't want to take Amex, fine, that's their choice. But a surcharge at the till? NOT A CHANCE you will EVER get my business.

Surcharges are incredibly nasty additional revenue streams with little or no connection to actual costs. One, they're usually set higher than cost (taking Amex does not cost anywhere near 3%). Two, they assume handling cash is free - it isn't, it's usually one of a company's biggest costs. Taking cards saves shops money. These fees are just nasty, and I, for one, avoid the (thankfully rare) places that charge them.

I have no idea who wrote that quote but it definitely wasn't me. MR's commenting system made a boo boo.

 

[rudigern]

How exactly would the security of NFC be compromised? I see people saying this all the time, but to date, no one has actually shown how the security would be compromised.

The current way Apple Pay works is the credit card is registered and a token is stored on the device. When you go to pay for something temporary credit card credentials are created and sent. This is a single use card that if stolen is useless. This is something that is marketed by Apple and is at the heart of it's benefit.

Now say they open up the NFC capabilities. This security feature is of course bypassed or has to be replicated on a per bank basis, credit card details can be stored on the device and sent as is. Now Apple can't market this feature anymore because it has too many conditions for the average consumer to understand.

Now I'll take two banks in that consortium and their security measures on their website. Westpac can only accept uppercase characters and numbers and only 6 of them. To combat this atrocious level of security they put an onscreen keyboard which I would say is actually less secure because it means onlookers can see your password easily. BankWests two factor authentication (what I use) can only accept a 4 digit pin plus your token. This is very low security compared to industry best practice. Do you think if Apple opened up their NFC hardware these banks would provide the same level of security as Apple do? Or just cut corners to get the product out?

 

[AllieNeko]

I have no idea who wrote that quote but it definitely wasn't me. MR's commenting system made a boo boo.

Oops! Sorry!
[doublepost=1487033600][/doublepost]

The current way Apple Pay works is the credit card is registered and a token is stored on the device. When you go to pay for something temporary credit card credentials are created and sent. This is a single use card that if stolen is useless. This is something that is marketed by Apple and is at the heart of it's benefit.

Now say they open up the NFC capabilities. This security feature is of course bypassed or has to be replicated on a per bank basis, credit card details can be stored on the device and sent as is. Now Apple can't market this feature anymore because it has too many conditions for the average consumer to understand.

Now I'll take two banks in that consortium and their security measures on their website. Westpac can only accept uppercase characters and numbers and only 6 of them. To combat this atrocious level of security they put an onscreen keyboard which I would say is actually less secure because it means onlookers can see your password easily. BankWests two factor authentication (what I use) can only accept a 4 digit pin plus your token. This is very low security compared to industry best practice. Do you think if Apple opened up their NFC hardware these banks would provide the same level of security as Apple do? Or just cut corners to get the product out?

First, the first paragraph is completely and totally untrue. There is no single-use card. There is a tokenised account (which Apple calls a DAN - Device Account Number), but it is not single use - it's unique to the device and is regnerated only if the bank asks for it to be, or if you remove and re-add the card. Otherwise things like public transit fare calculations and returns wouldn't work. The single use part is the cryptogram, which *all* EMV transactions have. Apple's marketing is intentionally confusing here. Tokenisation helps a little, but in truth the original PAN (Primary Account Number) isn't terribly useful anymore, as few places allow PAN+expiration date alone anymore, thus requiring more data that can't be obtained simply by reading a chip card (contact or contactless).

Second, Apple can still market Apple Pay however they want. Don't allow third-party apps to use the Apple Pay name and don't allow them to access the secure element (but DO support host card emulation so they can do this with a cloud-based solution instead).

The onscreen keyboard prevents keylogging, which is far more common than onlookers. It's not perfect, because it isn't two-factor - but it's actually not a bad solution for single-factor authentication. 4 digit PIN + OTP (one time password, not one true pairing) is just fine, to be honest. At least as long as attempts are rate limited, this is very good security.

Lastly, does it matter? The idea of open hardware is you can do what you want with it and run what you want on it. I agree, due to the special nature, the secure element needs to stay the exclusive territory of Apple Pay. But secure element use just isn't needed, and Apple could provide proper NFC support including host card emulation APIs without compromising their security.

 

[69Mustang]

The current way Apple Pay works is the credit card is registered and a token is stored on the device. When you go to pay for something temporary credit card credentials are created and sent. This is a single use card that if stolen is useless. This is something that is marketed by Apple and is at the heart of it's benefit.

I understand how Apple Pay works. How Apple Pay works is immaterial to the banks request for access to NFC.

Now say they open up the NFC capabilities. This security feature is of course bypassed or has to be replicated on a per bank basis, credit card details can be stored on the device and sent as is. Now Apple can't market this feature anymore because it has too many conditions for the average consumer to understand.

The security features don't have to be replicated on a per bank basis. NFC for banking is a well documented, tried and true process. Banks can use the same process used for Android Pay/Samsung Pay (minus the MST feature). The card details still aren't stored on the phone, nor are they sent as is. Tokenization isn't something Apple created. Why wouldn't Apple be able to market Apple Pay just as they have before? Giving banks access to NFC in no way changes how Apple implements Apple Pay. I don't think you have a good grasp of what Apple Pay is and what's being asked by the banks. They don't affect each other.

 

[rudigern]

I understand how Apple Pay works. How Apple Pay works is immaterial to the banks request for access to NFC.


The security features don't have to be replicated on a per bank basis. NFC for banking is a well documented, tried and true process. Banks can use the same process used for Android Pay/Samsung Pay (minus the MST feature). The card details still aren't stored on the phone, nor are they sent as is. Tokenization isn't something Apple created. Why wouldn't Apple be able to market Apple Pay just as they have before? Giving banks access to NFC in no way changes how Apple implements Apple Pay. I don't think you have a good grasp of what Apple Pay is and what's being asked by the banks. They don't affect each other.

I'm sure you don't have any idea how software development works. NFC is a communication device. It doesn't do anything with tokens or anything. The NFC in cards these days is a fixed token which can be hijacked and there are a lot of black hat / white hat presentations about how to exploit this. The banks will use this same method because it's a lot quicker to implement and can therefore be hijacked. They CAN implement their own temporary tokens, but if the NFC is open they don't HAVE to. My examples with the banks is to explain they don't have security at the top of their priorities and therefore unlikely to implement it in the same secure manner, hence lowering the security of the device.

Apple can't (they can but it turns into a minefield of asterisks that layperson can't grasp) market it anymore because people will use their cards believing they are more secure because it's an iPhone however if the NFC is open the banks implementation is the weakest link. When their details are hijacked it will immediately be assumed that Apple pay has been hacked. Just the same as people thought iCloud had been hacked despite it coming to light it was due to weak passwords / social engineering (the fappening, and there are many other examples). Now Apple might open up NFC in a limited manner in the coming iOS releases which might mean that banks could engineer the same security with ease but I have no idea if this is Apple's intended path.

Don't personally attack someone who is trying to explain something as requested. I gave you the details and although you might disagree I can assure you I know what I'm talking about.

 

[ErikGrim]

Isn't Apple asking for access to the bank's customers?

No. All information is anonymised and encrypted in the secure enclave.

Once your card is approved, your bank or your bank’s authorized service provider creates a device-specific Device Account Number, encrypts it, and sends it along with other data (such as the key used to generate dynamic security codes unique to each transaction) to Apple. Apple can’t decrypt it, but will add it to the Secure Element within your device. The Secure Element is an industry-standard, certified chip designed to store your payment information safely. The Device Account Number in the Secure Element is unique to your device and to each credit or debit card added. It’s isolated from iOS and watchOS, never stored on Apple Pay servers, and never backed up to iCloud. Because this number is unique and different from usual credit or debit card numbers, your bank can prevent its use on a magnetic stripe card, over the phone, or on websites.

Apple doesn’t store or have access to the credit, debit, or prepaid card numbers you added to Apple Pay. Apple Pay only stores a portion of your actual card numbers and a portion of your Device Account Numbers, along with a card description, to help you manage your cards.

I understand how Apple Pay works.

Clearly you don't.
[doublepost=1487038097][/doublepost]

NFC for banking is a well documented, tried and true process.

Well documented to be open to attacks, hence the generation of a unique token not associated with your cards or accounts.

 

[dsut4392]

To people saying Apple should just say no to the banks... Did it ever occur to you that it might be Apple that's asking them to embrace Apple Pay, and they refuse?


If the 1st rate programmer Apple hires are able to wipe devices clear of their musics, brick iPhones and can't keep iCloud / iMessage up, I wonder what these 3rd rate programmers would do, sure!
/s

Did it ever occur to you that some people on this thread might be customers who have asked their banks to implement Apple pay? I've already got the NAB and Commbank apps on my phone, adding NFC to those apps isn't remotely as useful to me as Apple pay would be. I want a secure single payment system which can store all my cards from different banks and let me choose how to pay. If I lose half the security and have to choose which app to open on the phone, I may as well just pull out my wallet and rifle through for the card, which is already NFC enabled.

 

[scarrab666]

I personally liked Apple Pay just for the 'convenience' factor, I banked with the CBA for 25 years and changed from them to ANZ just to use Apple Pay. I may be alone in changing banks purely for Apple Pay, but the fact I don't need a wallet for the majority of time is a massive 'Plus' for me!

Hope the other 3 'Majors' in Australia will cave in...

 

[ErikGrim]

I may be alone in changing banks purely for Apple Pay, but the fact I don't need a wallet for the majority of time is a massive 'Plus' for me!

Nope, you can add me, the wife and a couple of my friends to that tally.

 

[truthertech]

I am not buying the security argument. Banks have inherent need for security and have already developed technologies and processes designed to protect consumers and financial institutions alike. All they are asking for is access to the technology inside the phone. Their argument makes sense.

Imagine if Apple made a computer with a bluetooth technology that can only be used with Apple's own bluetooth devices. And you had to pay a fee to Apple each time you used said connection. That's basically what Banks are experiencing with Apple Pay. The hardware is locked down, so they can't develop competing payment solutions and they are forced to use Apple's pay-to-play scheme. They are saying - let us access the hardware that's inside to level the plan and encourage competition in this emerging market.

It's kind of like having Visa. Sure, banks that want to issue credit cards will need to pay Visa a fee to use their payment processing system, but they can also shop around and use Master Card or America Express, and so on. I think that's largely the argument. Technology changes things and now that piece of plastic we all carry around is being embedded into phones as NFC chip. Laws have to catch up.

LOL. Only on MacRumors could you have the Apple hate so strong that folks would take the side of a tiny group of billionaire bankers over a denying a service that consumers get for free and are clamoring for, and mom and pop small business owners get to use for free, because the bankers want to make more money and have more of your information.

A service that the most the small banks and credit unions in Australia eagerly offer to their customers. A service that thousands of banks the world over have eagerly signed on to the make more money and offer for free to their customers. LOL. LOL. LOL. How do you sleep at night??????

Bankers have been the most vilified occupation the world over, next to journalists and politicians anyway, and they must be laughing their tushes off as they sit around sipping their cognac reading MacRumors to see that they have got some folks labelling them as "poor victims" of the big, bad Apple.

 

[Juiceboy]

I'm so glad i've always been with ANZ. I was a bit sad at first when it was just Mastercard, but then Visa came along too and i couldn't be happier. Paying with my watch is just the best, one less thing i need to get out or put away and everyone everywhere just goes wow i haven't seen that before. I feel like a tool, But i'll gladly keep doing it until it becomes the norm. I can't beleive the other banks are greedy. Consumers do have a choice. Get an Android and go through the awful apps or get one of those banking NFC stickers.

 

[rudigern]

First, the first paragraph is completely and totally untrue.

It's like I simplified it so it's easier to understand or something!

Second, Apple can still market Apple Pay however they want. Don't allow third-party apps to use the Apple Pay name and don't allow them to access the secure element (but DO support host card emulation so they can do this with a cloud-based solution instead).

Customers don't understand this, especially if the name of the product is something as simple as "Apple Pay". You might, most don't.

The onscreen keyboard prevents keylogging, which is far more common than onlookers. It's not perfect, because it isn't two-factor - but it's actually not a bad solution for single-factor authentication. 4 digit PIN + OTP (one time password, not one true pairing) is just fine, to be honest. At least as long as attempts are rate limited, this is very good security.

Key loggers aren't very prevalent these days except when you have physical access to the computer. Almost all are remote and most of these aren't affected by onscreen keyboards. Even a very basic browser extension can bypass this non-existent security.

The main reason they have resorted to onscreen keyboards is the banking infrastructure (at least in Australia) is archaic. Instead of upgrading it they put these bandaids on things.

Lastly, does it matter? The idea of open hardware is you can do what you want with it and run what you want on it. I agree, due to the special nature, the secure element needs to stay the exclusive territory of Apple Pay. But secure element use just isn't needed, and Apple could provide proper NFC support including host card emulation APIs without compromising their security.

Doesn't bother me but Apple has built their ecosystem around security through exclusivity. I completely understand a lot, especially in the forums, don't like this. You are not being forced to buy Apple, there are plenty of options around in the Android sphere. But with this openness comes problems. The user has to assume more responsibility for their security because open means open to all, not just people doing the right thing. Can everyone deal with this responsibility? Hell no. They shouldn't be forced down a certain path for, lets face it as it was their initial argument, the banks wanting to keep more profit.