Dutch antitrust regulators launch probe into Apple Pay

AppleInsider

The Netherlands Authority for Consumers and Markets has turned a critical eye to manufacturers that limit access to any smartphone's near-field communications system.

Apple was not named directly in the probe. However, the Cupertino tech giant has a long history of being criticized for limiting access to the iPhone NFC chip, making it clear who the investigation targets.

Banks and competing financial companies worldwide have complained that by limiting access, Apple forces users to only use services compatible with Apple's own Apple Pay.

According to Bloomberg, the Dutch authority "will investigate whether limiting the payment apps' access to NFC communication reduces the users' freedom of choice," it said. If it "does establish a violation, it may result in a penalty, such as a fine."

As usual, Apple's response to the criticism is to remind both investigators and consumers that Apple Pay limits access to the NFC system for security purposes.

The probe comes at a time when Apple is facing increased scrutiny over anticompetitive behavior both at home and abroad. In October, the U.S. House Judiciary subcommittee accused Apple of holding a monopoly over the distribution of apps on iOS devices via the App Store.

sflocal

This sounds like a similar situation that went on in Australia when certain banks filed a lawsuit demanding NFC access.  They lost and eventually allowed ApplePay.

This all comes down to who has control of the end-user's information.  The banks want to use their own banking apps for NFC so they could harvest all our personal information and transaction history, sell it to the highest advertising bidder, and figure out ways to extract more from us.

ApplePay on the other hand is secure, and I can trust Apple in making sure that the security between phone and receiver is hardened.  Sure, Apple gets a cut of transaction fees from the bank, but what the banks aren't advertising the the amount of money saved due to not having issues with fraudulent transactions.  

2019 figures say that the banking industry lost $27.85B dollars worldwide due to credit card fraud.  I would think ApplePay has saved quite for banks.

I have zero faith in banks to keep my info private and secure.  I as a consumer am happy that Apple keeps NFC locked out.  It's their hardware/software package, their widget.  Screw the banks.  They either offer their services via ApplePay, or they don't get my business.

mobird

Apple should make a "limited edition" iPhone
sans a nfc chip just for countries/governments that impose this.

22july2013

mobird said:

Apple should make a "limited edition" iPhone [without] a nfc chip just for countries/governments that impose this.

Good idea, or it could be the exact same iPhone with the NFC chip disabled by software when the GPS detects that the iPhone is located in the Netherlands. Apple has already done this with things like the ECG feature in the Apple Watch. Unless you are from a certain country, you couldn't access the ECG feature. This was to satisfy regulators who hadn't approved the ECG feature for health purposes.

22july2013

I am so, so, so excited about some government trying to micromanage Apple's services to the point where Apple just gives up and says, "Fine, we won't sell iPhones or internet services to anyone in your country. Buh-bye." Let's see how that helps consumers in the Netherlands "increase their freedom of choice." Doesn't the Dutch government understand that the iPhone itself IS a choice? The only way that the Netherlands could mandate this is if they made the iPhone the only legal smart phone that anyone in the Netherlands could ever use. In that case I would back them up. Android has a 57% share of smartphones in the Netherlands and iOS has 42%, and they want to boot iOS out of their country? How does that increase choice? That will hand a 99% marketshare to Android. Where's the choice then?

macca

This is pot calling the kettle black! The local transport authority in Amsterdam (GVB) (I’m sure it’s the same for other cities) and national rail (NS) have a contactless card system that you have to use called the ov chip card. 

Unlike places like London you can’t use Apple Pay / google pay or other contactless bank cards. 

They should first start with opening these systems up first before going after other companies!

Sarkany

sflocal said:

This sounds like a similar situation that went on in Australia when certain banks filed a lawsuit demanding NFC access.  They lost and eventually allowed ApplePay.

This all comes down to who has control of the end-user's information.  The banks want to use their own banking apps for NFC so they could harvest all our personal information and transaction history, sell it to the highest advertising bidder, and figure out ways to extract more from us.

ApplePay on the other hand is secure, and I can trust Apple in making sure that the security between phone and receiver is hardened.  Sure, Apple gets a cut of transaction fees from the bank, but what the banks aren't advertising the the amount of money saved due to not having issues with fraudulent transactions.  

2019 figures say that the banking industry lost $27.85B dollars worldwide due to credit card fraud.  I would think ApplePay has saved quite for banks.

I have zero faith in banks to keep my info private and secure.  I as a consumer am happy that Apple keeps NFC locked out.  It's their hardware/software package, their widget.  Screw the banks.  They either offer their services via ApplePay, or they don't get my business.

Secure? Funny. I guess you didn’t read the article with the WiFi exploit. Who knows what kind of security hole is being exploited this very moment by a bad actor on Apple itself or their devices. Get real.

jellybelly

Sarkany said:

Secure? Funny. I guess you didn’t read the article with the WiFi exploit. Who knows what kind of security hole is being exploited this very moment by a bad actor on Apple itself or their devices. Get real.

When you load your card onto Apple Pay, it is encrypted and sent to VISA, MasterCard, or whatever company manages the card. Then VISA eg. will issue a different set of 16 digits encrypted to send back and be stored in the Secure Enclave silicon on your iPhone. Only VISA knows the new 16 digits and only VISA has the encryption key. The Secure Enclave does not communicate without encryption, and only VISA can translate the encryption. New keys are used on every transaction. VISA et al only collect info that would be collected to make the payment, the same info collected with a card transaction.

Read up on it at Anandtech.com or ArsTechnica.com via search on sites. AppleInsider may have an archive article on the subject as well.

It’s so secure that credit card companies and banks offer a discounted usage fee to Apple. 
As in the VISA example, not even your bank knows the key. VISA does the communication with your bank directly.

If you don’t trust a company like VISA and their communicating with your bank, then you don’t have any cards at all. As far as the Secure Enclave, it is silicon that would be destructed if it is tampered with physically. Software-wise, the encryption is safer than using a card directly to pay for something.

Be happy, not cynical. ߎ栦amp;nbsp;(emoji for musical notes).

mvmaastricht

22july2013 said:

I am so, so, so excited about some government trying to micromanage Apple's services to the point where Apple just gives up and says, "Fine, we won't sell iPhones or internet services to anyone in your country. Buh-bye." Let's see how that helps consumers in the Netherlands "increase their freedom of choice." Doesn't the Dutch government understand that the iPhone itself IS a choice? The only way that the Netherlands could mandate this is if they made the iPhone the only legal smart phone that anyone in the Netherlands could ever use. In that case I would back them up. Android has a 57% share of smartphones in the Netherlands and iOS has 42%, and they want to boot iOS out of their country? How does that increase choice? That will hand a 99% marketshare to Android. Where's the choice then?

First of all: the Dutch government is not taking a stance against Apple, neither are they trying to remove Apple from the Dutch market or  trying to limit user’s choice to Android only; they’re investigating if limiting the NFC chip from others using it, is illegal (hurting consumers or abusing market power). 

I’m sure they’ll find out it is in the best interest of users (like in Australia), and after this probe it will be clearer what Apple’s motivation is. For Apple it’s actually more effective this way, than having to spend millions on advertising to prove the same (with less credibility). 

gc_uk

sflocal said:

This sounds like a similar situation that went on in Australia when certain banks filed a lawsuit demanding NFC access.  They lost and eventually allowed ApplePay. 

I have zero faith in banks to keep my info private and secure.  I as a consumer am happy that Apple keeps NFC locked out.  It's their hardware/software package, their widget.  Screw the banks.  They either offer their services via ApplePay, or they don't get my business.

No, that’s isn’t what the Australian banks lobbied for. They wanted permission to negotiate as a group. Nothing to do with access to NFC. They wanted to negotiate a bloc rate if they weren’t going to be given access as payments processors. 

The mechanism behind Apple Pay isn’t an apple invention. It’s a system defined by EMV. Apple is simply a branded payment processor using that method. If you want evidence, Google Pay abs Samsung Pay et al use the same mechanisms. In Europe people were using contactless payments for a lot longer than the US. The high fraud rate in the US is because of the old technology being used there. 

You say you don’t trust the banks? So I guess you keep all your money in a box and don’t use Apple Pay?

gc_uk

22july2013 said:

mobird said:

Apple should make a "limited edition" iPhone [without] a nfc chip just for countries/governments that impose this.

Good idea, or it could be the exact same iPhone with the NFC chip disabled by software when the GPS detects that the iPhone is located in the Netherlands. Apple has already done this with things like the ECG feature in the Apple Watch. Unless you are from a certain country, you couldn't access the ECG feature. This was to satisfy regulators who hadn't approved the ECG feature for health purposes.

I’m pretty sure that’s not how it works, otherwise if you went on holiday to a country where it wasn’t enabled, you’d lose the functionality which would be as dumb as your comment.

avon b7

sflocal said:

This sounds like a similar situation that went on in Australia when certain banks filed a lawsuit demanding NFC access.  They lost and eventually allowed ApplePay.

This all comes down to who has control of the end-user's information.  The banks want to use their own banking apps for NFC so they could harvest all our personal information and transaction history, sell it to the highest advertising bidder, and figure out ways to extract more from us.

ApplePay on the other hand is secure, and I can trust Apple in making sure that the security between phone and receiver is hardened.  Sure, Apple gets a cut of transaction fees from the bank, but what the banks aren't advertising the the amount of money saved due to not having issues with fraudulent transactions.  

2019 figures say that the banking industry lost $27.85B dollars worldwide due to credit card fraud.  I would think ApplePay has saved quite for banks.

I have zero faith in banks to keep my info private and secure.  I as a consumer am happy that Apple keeps NFC locked out.  It's their hardware/software package, their widget.  Screw the banks.  They either offer their services via ApplePay, or they don't get my business.

Can you clarify that? 

I think at the very least you will find the EU has more and better protections in place as a result of adhering to newer EU regulations.

For example, in Spain, AFAIK it has been impossible to make a signature based card authentication for years. Even though EMV allows for it. 

From January next year I believe for any online payment (card based or not) you will have to confirm the payment through your bank's app on your phone. 

It is extremely rare for your card to leave your possession for any purchase whatsoever. Even in restaurants, the card reader will probably be brought to your table. 

Current NFC, secure enclave and banking apps on Android are plenty secure. 

My wife is very riled that I can use my bank's BBVA Pay on my phone but that she can't. It's worse that her options are limited to Apple Pay which she refuses to use because Apple is obliging her to use its Pay service. 

Choice should be open to everyone and if it is restricted for day to day actions, users should be duly informed prior to purchase. 

sellerington

Sounds like she is cutting off her nose to spite her face? What reason(s) does your wife have to not use  Pay?

avon b7

sellerington said:

Sounds like she is cutting off her nose to spite her face? What reason(s) does your wife have to not use  Pay?

It's a protest at the lack of choice. She would prefer to use BBVA Pay but that option is denied to her. Currently she uses her card.

Her next phone may be an Android. The XR has given her all manner of problems. The biggest of which is FaceID not adapting to her glasses. Followed by calls cutting off a few seconds into the call (recent development) Follwed by the phone switching off the speaker randomly for incoming calls. Etc.

She is a long time iPhone user. 

22july2013

gc_uk said:

22july2013 said:

mobird said:

Apple should make a "limited edition" iPhone [without] a nfc chip just for countries/governments that impose this.

Good idea, or it could be the exact same iPhone with the NFC chip disabled by software when the GPS detects that the iPhone is located in the Netherlands. Apple has already done this with things like the ECG feature in the Apple Watch. Unless you are from a certain country, you couldn't access the ECG feature. This was to satisfy regulators who hadn't approved the ECG feature for health purposes.

I’m pretty sure that’s not how it works, otherwise if you went on holiday to a country where it wasn’t enabled, you’d lose the functionality which would be as dumb as your comment.

My second statement implied that the Apple Watch was using GPS to block certain users to its ECG, which is not what I intended to say. Yet Apple indeed was blocking users who came from a certain country, and that was not done by GPS but by the nation of origin of the payment card for the user's linked iCloud account. So you are right, the implementation was different. I was just using GPS as an example of how to block users, in order to keep my post short and sweet, but I can see I would have been better off writing a longer, more accurate message.

I don't resort to name calling and I recommend that you don't either. It's quite a good feeling taking the high road.

22july2013

avon b7 said:

Current NFC, secure enclave and banking apps on Android are plenty secure. 

Maybe they are secure. Some Android phones have a secure element, but some do not. Buyer beware. And those that do have different implementations that each need to be evaluated separately for their security. Where have you read an evaluation of these secure enclaves? I was unable to find any. How do you know they are secure, can you cite the report so I can read it and be happy?

"Huawei also implemented an integrated secure element (inSE) on its SoCs, the HiSilicon Kirin 960, 970, 980, 990, and 710.
Qualcomm has adopted the secure element as a secure processing unit (SPU) in the Snapdragon 845, 855, and 855+, which enables brands like Xiaomi, OnePlus, Oppo, Vivo, LG, Sony, Samsung, and Google to implement hardware embedded security in its premium smartphones."

Earlier this year Samsung announced its own Secure Enclave Chip called S3K250AF that it will make available to Android phone manufacturers. This chip has been evaluated against Common Criteria Evaluation Assurance Level 5+ which is a good claim, rivalling my trust in Apple's own word for its own Secure Element, but so far this chip is only available in the Samsung S20, I think. This puts the S20 on top of the Android pack for security, in my opinion. It's just tough to tear me away from Apple because they've had a secure element since iPhone 5, which is about 7 generations ago.

22july2013

jellybelly said:

Sarkany said:

Secure? Funny. I guess you didn’t read the article with the WiFi exploit. Who knows what kind of security hole is being exploited this very moment by a bad actor on Apple itself or their devices. Get real.

When you load your card onto Apple Pay, it is encrypted and sent to VISA, MasterCard, or whatever company manages the card. Then VISA eg. will issue a different set of 16 digits encrypted to send back and be stored in the Secure Enclave silicon on your iPhone. Only VISA knows the new 16 digits and only VISA has the encryption key. The Secure Enclave does not communicate without encryption, and only VISA can translate the encryption. New keys are used on every transaction. VISA et al only collect info that would be collected to make the payment, the same info collected with a card transaction.

Read up on it at Anandtech.com or ArsTechnica.com via search on sites. AppleInsider may have an archive article on the subject as well.

It’s so secure that credit card companies and banks offer a discounted usage fee to Apple. 
As in the VISA example, not even your bank knows the key. VISA does the communication with your bank directly.

If you don’t trust a company like VISA and their communicating with your bank, then you don’t have any cards at all. As far as the Secure Enclave, it is silicon that would be destructed if it is tampered with physically. Software-wise, the encryption is safer than using a card directly to pay for something.

Be happy, not cynical. ߎ栦amp;nbsp;(emoji for musical notes).

Your post is informative and agreeable, but then how do you explain devices like these which claim to be able to get the PIN for your iPhone which is the most important data item protected by the Secure Element? The iPhone PIN, or a hash of it, is stored only in the secure element, yet it seems to be retrievable.

https://www.zdnet.com/article/graykey-box-promises-to-unlock-iphones-for-police/ <--

My guess is that finding the PIN is not done by actually getting it out of the Secure Element, but by some system of guesswork. As a result only the PIN has been compromised, but that's a pretty big compromise. It would allow you to change the fingerprint used to unlock the phone, for example, but it may not compromise everything stored in there.

avon b7

22july2013 said:

avon b7 said:

Current NFC, secure enclave and banking apps on Android are plenty secure. 

Maybe they are secure. Some Android phones have a secure element, but some do not. Buyer beware. And those that do have different implementations that each need to be evaluated separately for their security. Where have you read an evaluation of these secure enclaves? I was unable to find any. How do you know they are secure, can you cite the report so I can read it and be happy?

"Huawei also implemented an integrated secure element (inSE) on its SoCs, the HiSilicon Kirin 960, 970, 980, 990, and 710.
Qualcomm has adopted the secure element as a secure processing unit (SPU) in the Snapdragon 845, 855, and 855+, which enables brands like Xiaomi, OnePlus, Oppo, Vivo, LG, Sony, Samsung, and Google to implement hardware embedded security in its premium smartphones."

Earlier this year Samsung announced its own Secure Enclave Chip called S3K250AF that it will make available to Android phone manufacturers. This chip has been evaluated against Common Criteria Evaluation Assurance Level 5+ which is a good claim, rivalling my trust in Apple's own word for its own Secure Element, but so far this chip is only available in the Samsung S20, I think. This puts the S20 on top of the Android pack for security, in my opinion. It's just tough to tear me away from Apple because they've had a secure element since iPhone 5, which is about 7 generations ago.

The security elements of Android and Apple phones are verified by the banks themselves for their security requirements. For example, if my current phone wasn't deemed secure enough for my bank, the option to use it for payments would not be available to me. 

As for Huawei secure enclave and TEE, it has probably one of the highest security standard certifications available for mobile and covers far more than the devices themselves. 


https://www.huawei.com/it/sustainability/stable-secure-network/privacy-protection

PDF:

https://www.tuvnederland.nl/assets/files/cerfiticaten/2019/11/st-hongmengv2.8.pdf


https://www.huawei.com/en/sustainability/stable-secure-network/cyber-security

GeorgeBMac

jellybelly said:

Sarkany said:

Secure? Funny. I guess you didn’t read the article with the WiFi exploit. Who knows what kind of security hole is being exploited this very moment by a bad actor on Apple itself or their devices. Get real.

When you load your card onto Apple Pay, it is encrypted and sent to VISA, MasterCard, or whatever company manages the card. Then VISA eg. will issue a different set of 16 digits encrypted to send back and be stored in the Secure Enclave silicon on your iPhone. Only VISA knows the new 16 digits and only VISA has the encryption key. The Secure Enclave does not communicate without encryption, and only VISA can translate the encryption. New keys are used on every transaction. VISA et al only collect info that would be collected to make the payment, the same info collected with a card transaction.

Read up on it at Anandtech.com or ArsTechnica.com via search on sites. AppleInsider may have an archive article on the subject as well.

It’s so secure that credit card companies and banks offer a discounted usage fee to Apple. 
As in the VISA example, not even your bank knows the key. VISA does the communication with your bank directly.

If you don’t trust a company like VISA and their communicating with your bank, then you don’t have any cards at all. As far as the Secure Enclave, it is silicon that would be destructed if it is tampered with physically. Software-wise, the encryption is safer than using a card directly to pay for something.

Be happy, not cynical. ߎ栦amp;nbsp;(emoji for musical notes).

After my credit card has hacked and I reported a fraudulent transaction I asked the bank's security person investigating the fraud whether I should, in the future, use Apple Pay or their chip card.   The answer:  "Use ApplePay.   It's more secure".

That was all I needed.

Now I avoid any merchant who refuses to accept Apple Pay.   And, when I can't I use a card that I can cancel at any time without impacting my buying habits.

GeorgeBMac

avon b7 said:

sflocal said:

This sounds like a similar situation that went on in Australia when certain banks filed a lawsuit demanding NFC access.  They lost and eventually allowed ApplePay.

This all comes down to who has control of the end-user's information.  The banks want to use their own banking apps for NFC so they could harvest all our personal information and transaction history, sell it to the highest advertising bidder, and figure out ways to extract more from us.

ApplePay on the other hand is secure, and I can trust Apple in making sure that the security between phone and receiver is hardened.  Sure, Apple gets a cut of transaction fees from the bank, but what the banks aren't advertising the the amount of money saved due to not having issues with fraudulent transactions.  

2019 figures say that the banking industry lost $27.85B dollars worldwide due to credit card fraud.  I would think ApplePay has saved quite for banks.

I have zero faith in banks to keep my info private and secure.  I as a consumer am happy that Apple keeps NFC locked out.  It's their hardware/software package, their widget.  Screw the banks.  They either offer their services via ApplePay, or they don't get my business.

Can you clarify that? 

I think at the very least you will find the EU has more and better protections in place as a result of adhering to newer EU regulations.

For example, in Spain, AFAIK it has been impossible to make a signature based card authentication for years. Even though EMV allows for it. 

From January next year I believe for any online payment (card based or not) you will have to confirm the payment through your bank's app on your phone. 

It is extremely rare for your card to leave your possession for any purchase whatsoever. Even in restaurants, the card reader will probably be brought to your table. 

Current NFC, secure enclave and banking apps on Android are plenty secure. 

My wife is very riled that I can use my bank's BBVA Pay on my phone but that she can't. It's worse that her options are limited to Apple Pay which she refuses to use because Apple is obliging her to use its Pay service. 

Choice should be open to everyone and if it is restricted for day to day actions, users should be duly informed prior to purchase. 

Like "Healthy", "Secure" is always a relative term.

"Healthy" compared to what?   An Orio?

"Secure" as opposed to what?   An unlocked door?

Even locking the door doesn't offer perfect security -- because there is no such thing -- criminals are ALWAYS looking for ways to unlock it.

But, if you are concerned about security, you get as close as you can to that "perfect" -- within the limitations of expense and inconvenience.

(But I agree that Europe has been far ahead of most countries in card technology and associated security.)

GeorgeBMac

sflocal said:

This sounds like a similar situation that went on in Australia when certain banks filed a lawsuit demanding NFC access.  They lost and eventually allowed ApplePay.

This all comes down to who has control of the end-user's information.  The banks want to use their own banking apps for NFC so they could harvest all our personal information and transaction history, sell it to the highest advertising bidder, and figure out ways to extract more from us.

ApplePay on the other hand is secure, and I can trust Apple in making sure that the security between phone and receiver is hardened.  Sure, Apple gets a cut of transaction fees from the bank, but what the banks aren't advertising the the amount of money saved due to not having issues with fraudulent transactions.  

2019 figures say that the banking industry lost $27.85B dollars worldwide due to credit card fraud.  I would think ApplePay has saved quite for banks.

I have zero faith in banks to keep my info private and secure.  I as a consumer am happy that Apple keeps NFC locked out.  It's their hardware/software package, their widget.  Screw the banks.  They either offer their services via ApplePay, or they don't get my business.

Yep!

People complain about Google and, to a lesser degree, Amazon collecting their personal information.

But most are oblivious to the fact that their banks are collecting that information and using that information -- as well as the stores they shop at.

The latter was highlighted in one of the first big hacks:  Target.   It wasn't just credit card info that was stolen but much personal information like email addresses as well.

Merchants are collecting your information -- UNLESS you use Apple Pay. 

That, and the security it offers, is another reason to use Apple Pay exclusively as much as possible.  And, the more we demand it, the more merchants will offer it.