Australian Banks Seek Open Access to NFC Functions of Apple Pay in New Application

[sir1963nz]

I can't see the security risk of opening NFC hardward access to third-parties.
This is how Apple Pay works:
It provides a secure platform for card issuers (banks) to store and utilize tokenized card information on a phone. Sensitive information is stored on the so called Secure Element, which is seperated from iOS. When a transaction is about to be made, the token is then transmitted through NFC to the merchant for further processing.

Unless Apple can explain how allowing the use of NFC antenna may lead to unauthurized access to the Secure Element, the Australian banks have a point here. NFC technology is only a means to wirelessly transmit data. Without it, third-parties cannot develope their own payment apps, resulting in the monopoly of Apple Pay on iOS.

I would like to quote some sentenses from https://arstechnica.com/gadgets/2014/10/how-mobile-payments-really-work/

• So using this method, Apple not only uses a token as a proxy for a real credit card number that is device-specific and ideally should not be able to be replicated across another device, but it also offloads responsibility for the security of the token and the cryptogram to the card issuer.
• All in all, it seems like a good deal for Apple. The company is not carrying a lot of sensitive information on its servers, and, at the same time, it reportedly receives a cut of the Interchange Fees that banks make on each purchase.
  
• As MasterCard's Sherri Haymond described, "What Apple's role is here is they're the technology platform provider, they're interacting with the consumer, but they're not in the middle of the payment flow at all. All they're doing is facilitating their assets to be transferred."

In short, Apple charges banks to make their issued cards compatible with Apple Pay method, while being "not in the middle of the payment flow at all". Since the major Australian banks already developed their own wireless payment methods, why would they pay Apple for a similar thing? If only Apple opened the NFC hardware, the major banks might provide similar user experience without Apple Pay. From their perspective, Apple is trying to block competition by making NFC exclusive to Apple Pay only.

I use "Paywave" payments, it is no more difficult to get my wallet out than it is to get my phone out.

Apples method how ever also reduces fraud, anyone can use a pay wave card, there is no security, transactions under $50 happen without a PIN.

The banks are also saying they want access to Apple technology that Apple developed for free that will give the banks increased security and as a plus will give them greater access to data for data mining, all for free.

Australian banks are making record profits.

 

[69Mustang]

I use "Paywave" payments, it is no more difficult to get my wallet out than it is to get my phone out.

Apples method how ever also reduces fraud, anyone can use a pay wave card, there is no security, transactions under $50 happen without a PIN.

The banks are also saying they want access to Apple technology that Apple developed for free that will give the banks increased security and as a plus will give them greater access to data for data mining, all for free.

Australian banks are making record profits.

You're late to the thread but in no way, shape, or form are the banks saying they want access to Apple developed technology. They're asking for access to NFC.

 

[JamesPDX]

Banks need to suck it up and join the 21st century. Banks have always built their infrastructure(s) on the backs of their clients over the last hundred years +.

That era is over. People will simply move their money. Nothing personal. It's just business. -After all, that's what financial institutions tell us all the time, "Well sir, that's just the way it is..." Until it isn't, and said bank is in the dust because it refused to evolve to meet the demands of the consumers.

 

[Junis]

Apple would rather never offer Apple Pay in Australia than compromise the security of the entire system globally. Australia is a small market by comparison. This will go absolutely nowhere for the banks involved and is a huge waste of time.

Actually Australia is one of the worlds largest adopters of contact-less payments technologies so it is a pretty big deal for apple and always has been. Search Australia contact-less payments in google and there are articles about the adoption of contact-less tech in AUS. This is one of the reasons why its getting so much attention - if it didn't mean anything to them then you are correct, they would leave it alone and let consumers do the talking by leaving their banks for banks who offer it like ANZ. Fact is apple need the big banks in AUS to adopt this tech

 

[Tech198]

Banks need to suck it up and join the 21st century. Banks have always built their infrastructure(s) on the backs of their clients over the last hundred years +.

That era is over. People will simply move their money. Nothing personal. It's just business. -After all, that's what financial institutions tell us all the time, "Well sir, that's just the way it is..." Until it isn't, and said bank is in the dust because it refused to evolve to meet the demands of the consumers.

We will ? Then people don't care how much they pay. Your mortgage and all, at the expense of simply using Apple pay somewhere else and not at your own bank ? wow.. people really have more money than they know what to do with. Give me lower prices any-day..

I agree. Banks do need to *adopt* Apple pay, Customers do not need to "move" anywhere.. We are thinking like sheep... If something doesn't work, go elsewhere that does.

 

[Wanted797]

Moved my banking to ANZ long ago. God I hope the banks get slammed for this pathetic complaint. Apple make the phone, hardware & software and have ALWAYS been a closed system. They don't have to do anything for any company.

 

[Douglas B]

Apple did not invent nor does it own in any way the standard protocols being used. EVMCo and its members did all that.

Correct but what Apple did bring to the process is TouchID. Credit Cards don't have that. Credits Cards can be used by anyone (under the $100 limit in Aus). So the system that Apple offers to the banks is more secure than what currently happens. Meaning less fraud. (If the banks provision the cards to the iPhone in a secure way.)

I think it's fair for Apple to ask the banks for a fee.
[doublepost=1487167546][/doublepost]

Contactless is already incredibly secure. Apple Pay isn't offering that much. It's far more secure than swiping, which was super common in America. But all Apple Pay is offering for contactless is a second authentication factor, which helps, but not a ton.

Apple is offering TouchID security which credit cards don't have. Anyone in Australia can use anyone else's tap and pay credit card without a pin for transactions less than $100. However, nobody else can use my phone.

This benefits the banks.

 

[kdarling]

Correct but what Apple did bring to the process is TouchID. Credit Cards don't have that. Credits Cards can be used by anyone (under the $100 limit in Aus). So the system that Apple offers to the banks is more secure than what currently happens. Meaning less fraud. (If the banks provision the cards to the iPhone in a secure way.)

Since TouchId is just a shortcut for entering a passcode, that's like saying Apple should get a fee for someone using the numeric keyboard.

More importantly, any iOS app can use TouchId... including say, a bank's NFC card app.

Contactless payment fraud in Austraia runs about $0.02 per hundred dollars. Apple wants $0.15. Paying Apple makes no financial sense. It's just a ransom for allowing banks to register their own customers.

I think it's fair for Apple to ask the banks for a fee.

I think Apple could fairly charge a fee for the initial account provisioning, similar to what banks pay for provisioning a token with the token providers. Say, ten to fifty cents.

They could also fairly charge a fee during an online Apple Pay transaction, such as a web payment, where Apple's servers are actually involved.

But for contactless payments where Apple has zero work or liability? No. They sold the hardware at a profit. They don't deserve a fee for someone using that hardware, any more than they deserve a fee from anyone using the camera, Bluetooth or WiFi.

Think about it: Apple charging a fee for emulating a card, is as if the maker of chip cards demanded a fee each time one was used, because it has more security than a swipe card. It just makes no sense.

 

[fischersd]

The real question at hand is something totally different: can a company be forced to open access to some of its hardware in order to allow competition? I think the answer would normally be no. Which is too bad, since there are so many cool things that can be done with a regular NFC Forum compliant system.

THIS! As much as I don't like to see the government interfering in free enterprise, the FTC's role is to ensure fair competition. This is why Microsoft was almost split into multiple companies (and why they had to de-couple tight integration of Internet Explorer to Windows). Owning the playing field has its own advantages - when companies use these advantages unfairly to stifle competition, that's when the FTC should be jumping in.

As much as I (well, don't we all?) hate the banks, Apple really should allow any company to write a wallet app for the iPhone and use the NFC chip for contactless payments.

Now, if they aren't integrated with Apple's Wallet / Apple Pay - then they don't have the convenience of being accessed from the lock screen on the iPhone or so easily from the Apple Watch.

The consumers would still drive it there...the convenience is pretty key (if it isn't convenient, you still get your wallet out).

 

[kdarling]

How much do Apple take from payments vs regular CC purchases?

Nobody has answered, but I think that's because no one understood it. What are "payments"? Thanks!

And the reason these banks want it open is also Money, as in tracking/selling user data. Apple doesn't want to facilitate that, and no one can force them to provide a product that does it.

A primary reason why banks signed up for Apple Pay in the first place, is because it passes through the exact same data that the banks have always gotten.

The banks are willing to pay to have Apple facilitate this flow of info. The alternative would've been for Apple to do like Google did with their original NFC Wallet, and act as a masked proxy buyer... thus hiding any specific purchase info (besides the amount) from the bank.

(Not aimed at you: it always cracks me up that people didn't seem to care about store purchase privacy until Apple told them to. If people really cared that much, they'd have been using Google Wallet all those years ahead of time, because then the banks would not have known private things such as the fact that you bought liquor at lunchtime or paid a divorce lawyer. If Google knows that, you simply might get related ads. When the banks have that info, they recalculate your credit risk, and that can have real impact on your life.)

Btw, it's not about preventing fraud. Banks have plenty of ways of doing that IF they wish to. But the way banks make a lot of money is by handling fraud and taking calculated risks. If fraud dropped to zero, they'd have no excuse for charging as much.

The banks are also saying they want access to Apple technology that Apple developed for free that will give the banks increased security and as a plus will give them greater access to data for data mining, all for free.

With respect, what technology did Apple develop? Not tokens. Not NFC payments. Not the protocol. Not the chips used for NFC controller or Secure Element. Certainly not the payment networks.

Yes, they put in the hardware and software support. So do other phone makers. Ditto for putting in WiFi, Bluetooth, camera, fingerprint reader, etc... yet no one thinks those should be rented from the phone maker.

As for data mining, what greater access to data would banks get with their own app? Not location, since the store id is part of the info that goes up anyway. But there could be something. Truly curious for your thoughts.

Australian banks are making record profits.

So is Apple, but one supports Australia much more than the other. For example, in 2013 ANZ Bank made over AUS $6 billion in revenues, upon which they paid about $2 billion in Australian taxes... ~30%.

In 2013, Apple also made about $6 billion in Australia, but only paid less than $40 million in taxes (< 1%) because of their clever offshoring accounting tricks. Instead, all those billions (and more each year) are now sitting in NYC banks where the money is being used to help finance American loans. For that, we thank you for being willing pawns of one of our US megacorporations

 

[JamesPDX]

We will ? Then people don't care how much they pay. Your mortgage and all, at the expense of simply using Apple pay somewhere else and not at your own bank ? wow.. people really have more money than they know what to do with. Give me lower prices any-day..

Banks do need to *adopt* Apple Pay. Customers do not need to "move" anywhere.. We are thinking like sheep... If something doesn't work, go elsewhere that does.

No, I meant people will vote with their feet and they shouldn't care where they park their money unless there are negative tax implications. Apple Pay is an elegant piece of engineering. Likewise, about half of the chipped VISA/MC terminals "aren't RFID ready" in the USA -which is absurd because there was a security deadline. The problem is with retailers, terminal vendors, and banks dragging their feet on firmware updates, etc. If your bank does not support TLS 1.2 or better, contact the admin and tell them their encryption is broken. Firefox is great for sussing-out these various sites that have our data but are too "boardroom-lazy" to upgrade their security infrastructure for the 21st century. Use email or the e-form because they have to retain the records.

 

[sir1963nz]

You're late to the thread but in no way, shape, or form are the banks saying they want access to Apple developed technology. They're asking for access to NFC.

so how much money did the banks pay for the development of the iPhone ?

 

[CRaSHeR36]

I am not buying the security argument. Banks have inherent need for security and have already developed technologies and processes designed to protect consumers and financial institutions alike. All they are asking for is access to the technology inside the phone. Their argument makes sense.

Imagine if Apple made a computer with a bluetooth technology that can only be used with Apple's own bluetooth devices. And you had to pay a fee to Apple each time you used said connection. That's basically what Banks are experiencing with Apple Pay. The hardware is locked down, so they can't develop competing payment solutions and they are forced to use Apple's pay-to-play scheme. They are saying - let us access the hardware that's inside to level the plan and encourage competition in this emerging market.

It's kind of like having Visa. Sure, banks that want to issue credit cards will need to pay Visa a fee to use their payment processing system, but they can also shop around and use Master Card or America Express, and so on. I think that's largely the argument. Technology changes things and now that piece of plastic we all carry around is being embedded into phones as NFC chip. Laws have to catch up.

Hmmmm - I'm not convinced on the bank's inherent security argument... Many banks still don't allow special characters on online passwords (yep as unbelievable as that is!) - something that should have already been implemented years ago IF security was that important to them. Their bottom line is MOST important to them - and as long as fraud coverage costs them less than revamping security, that's what they'll do...

All this to say that I much prefer/trust Apple to hold up my security as incredibly important (it's their product after all) rather than the banks who are much more interested in their bottom line than my security.

 

[AllieNeko]

Apple is offering TouchID security which credit cards don't have. Anyone in Australia can use anyone else's tap and pay credit card without a pin for transactions less than $100. However, nobody else can use my phone.

This benefits the banks.

No, Apple did not invent the concept of CDCVM (Consumer Device Cardholder Verification Method), or biometrics.

I hate the banks, especially Australian banks due to the DCC nonsense they spread worldwide, but the more I think about it the more I fundamentally agree with them, despite hating them. Hardware should be open, end of story. You should have a right to tinker.

 

[rudigern]

That won't be problem. As I said, you were pretty definitive about what the banks will do. There was no ambiguity in any of the statements below. That's why when you said I dug a hole I giggled. You painted yourself into a corner with declarations of what the banks are going to do.


Wouldn't it be a lot easier for the banks to piggyback on the same method Android Pay uses?


When their details are hijacked? Kinda sounds like a you've come to a forgone conclusion doesn't it?



They're making a pretty big fuss about wanting NFC access. Couldn't they realize that doing it wrong would crash and burn?

I have because it's a current exploit well know thats out in the wild. You keep saying I'm making conclusions. They are conclusions because I have been involved with these very things in the industry. I have seen thousands of credit cards stolen from organisations that people like you trust. Neither of the companies I've been witness to ever made public announcements or notified their customers. It's unfortunate that we live in this world but every large organisation runs on the bottom line. Almost everyone knows this except you feel that the 4 of the 5 most profitable banks in Australia would never take the cheaper option with no experience in software development or IT security.

 

[69Mustang]

I have because it's a current exploit well know thats out in the wild. You keep saying I'm making conclusions. They are conclusions because I have been involved with these very things in the industry. I have seen thousands of credit cards stolen from organisations that people like you trust. Neither of the companies I've been witness to ever made public announcements or notified their customers. It's unfortunate that we live in this world but every large organisation runs on the bottom line. Almost everyone knows this except you feel that the 4 of the 5 most profitable banks in Australia would never take the cheaper option with no experience in software development or IT security.

I have no feeling one way or the other regarding what the banks will do. You seem to be conflating my thoughts about what you're stating with a feeling for what banks will do. My issue is with your statements. The banks could do exactly as you say. Companies do dumb stuff all the time. But you're saying they will, as if it's a forgone conclusion. That's just not true. You asked me to show you where you said they will. I did.

 

[Douglas B]

No, Apple did not invent the concept of CDCVM (Consumer Device Cardholder Verification Method), or biometrics.

I said, Apple 'offer' security that credit cards don't. No mention of who invented what.

 

[AllieNeko]

I said, Apple 'offer' security that credit cards don't. No mention of who invented what.

Sure. But they're hardly the only ones who do. It isn't something magical. Why should a feature of hardware you BOUGHT be held ransom by the software running on it?

I'm no fan of the banks. I have Android (and iPhone). Android Pay is far, far better than the banks that decide to save some money and go their own way. The difference is massive. But... It isn't about the banks. It's about your right as a consumer to use the hardware you bought however you want to.

 

[ErikGrim]

I use "Paywave" payments, it is no more difficult to get my wallet out than it is to get my phone out.

Agreed. That's why you use your watch for Apple Pay and ditch your wallet altogether.
[doublepost=1487738934][/doublepost]

It's about your right as a consumer to use the hardware you bought however you want to.

You don't have any such rights. Are you able to use the radios in your phone to connect to whichever network you want? To use the fingerprint reader to read fingerprints to make into artwork? Can you use bluetooth to transfer any arbitrary data from phone to computer?

Apple dictates exactly what uses the hardware they put into their phones do, regardless of what their actual capabilities, and you have no say in it.

 

[sir1963nz]

Agreed. That's why you use your watch for Apple Pay and ditch your wallet altogether.
[doublepost=1487738934][/doublepost]You don't have any such rights. Are you able to use the radios in your phone to connect to whichever network you want? To use the fingerprint reader to read fingerprints to make into artwork? Can you use bluetooth to transfer any arbitrary data from phone to computer?

Apple dictates exactly what uses the hardware they put into their phones do, regardless of what their actual capabilities, and you have no say in it.

I get my CreditCard for free.

I figure the life expectancy of the watch is about 4 years, I am NOT going to pay $100 a year to save me pulling my wallet out, especially when I pull it out anyway for loyalty cards

 

[rudigern]

I have no feeling one way or the other regarding what the banks will do. You seem to be conflating my thoughts about what you're stating with a feeling for what banks will do. My issue is with your statements. The banks could do exactly as you say. Companies do dumb stuff all the time. But you're saying they will, as if it's a forgone conclusion. That's just not true. You asked me to show you where you said they will. I did.

You have no context of the technology or industry you so readily defend. I know from personal, first hand experience the shortcuts, budgets and lack of forethought these companies make. You asked why, I gave you the reason why, then you said they wouldn't do that, they'd just copy Android Pay with no understanding. If you ask a question don't get upset that the answer doesn't fit with your world view.

 

[69Mustang]

You have no context of the technology or industry you so readily defend.

I do have common sense and a logical disposition. I can easily draw a conclusion based on the information provided. I don't need to be burned to realize fire is hot. I don't need to be in the IT or banking industry to form an opinion regarding the opposing positions of Apple and the banks.

I know from personal, first hand experience the shortcuts, budgets and lack of forethought these companies make.

You having personal experience in this area doesn't mean you know what the banks are going to do. I'm sorry, it doesn't. That's been my point the entire time. You can't conflate your past experience with future actions of the banks. Well, you can, but don't expect anyone to accept your opinion <-- that's all it is, an opinion -- as some sort of fact regarding the banks intentions. When you come to the realization that you can't predict what the banks are going to do you'll be all the better for it.

You asked why, I gave you the reason why, then you said they wouldn't do that, they'd just copy Android Pay with no understanding.

Rudigern, don't that man. You know for a fact I never said the banks would just copy Android Pay. Don't try to twist my words to suppliment your position. You haven't done it at any other point, so let's not start now. This is exactly the question I asked:
"Wouldn't it be a lot easier for the banks to piggyback on the same method Android Pay uses?"

In no way, shape, or form is that me saying the banks would copy Android Pay. Unlike you, I haven't claimed the banks would do anything one way or the other. I even stated they could do exactly as you think they will. Could do, not will do. When you drop the emphatic will do, you're going to be better for it.

If you ask a question don't get upset that the answer doesn't fit with your world view.

It seems the only person upset in this conversation is you.

 

[AllieNeko]

You don't have any such rights. Are you able to use the radios in your phone to connect to whichever network you want? To use the fingerprint reader to read fingerprints to make into artwork? Can you use bluetooth to transfer any arbitrary data from phone to computer?

Apple dictates exactly what uses the hardware they put into their phones do, regardless of what their actual capabilities, and you have no say in it.

Which is one of my biggest issues with the Apple ecosystem. The fingerprint reader is justifiable, as it needs to be very secure and at a very low level in the system.

Bluetooth, however, and the restrictions Apple puts on it, has always been absolutely absurd.

Oh, and yes, actually, you can connect to whichever network you want with an iPhone... they usually come unlocked.

 

[scarrab666]

Sorry to keep this one going, but interestingly ANZ (the only one of the 4 big Australian banks that uses Apple Pay) has reported record profits.... Now I'm sure this is not down to us mere consumers, and probably to do with interest rate hikes on mortgages, opposed to Apple Pay. But interesting none-the-less... I wonder if the other 3 banks will follow suit?

I'm pretty fickle I switched from CBA (25 year customer) to ANZ just for Apple Pay...

ref: http://www.abc.net.au/news/2017-02-17/anz-profit-jumps-in-quarterly-update/8279448