I am not against them knowing where and when although I do object to relying on a single entity for all transactions.
These are not mutually exclusive options. I interchange using my physical Starbucks card and Starbucks card on my phone via PassBook all the time.
Another thing that seems like it would be problematic is when you need two cards with the same account with different names. Currently it works fine and I'm sure they have already worked that out but getting the whole thing set up on each phone is probably a nightmare for the technically challenged, where as sticking a new card in your wallet is a no brainer.
Lots of things were complex before Apple found a way to make it less complex. They have a knack for this sort of stuff so I have faith that they aren't likely to have missed some major issues if they do release such a feature.
Likewise, if I go get coffee, then drop by the drugstore, grocery, and public library, why should I have to fish around for four ID cards plus a credit card?
I never carry rewards cards. The cashier can look it up on the computer with your home phone number so you and spouse can both receive rewards on the same account.
I am not against them knowing where and when although I do object to relying on a single entity for all transactions.
These are not mutually exclusive options. I interchange using my physical Starbucks card and Starbucks card on my phone via PassBook all the time.
I meant like big brother. Projecting into the future in regards to my comment about eventually being chipped.
Also in terms of Apple making it easy, I think they need too make compatible with other phones otherwise retailers are going to balk at having multiple payment systems. They all use VISA, MC, AMEX, Discover, JCB, etc with the same terminal right now.
Today, the Clipper Card (SF Bay Area transit card) covers eight local transit agencies and also is valid for parking in some places. You no longer need to keep a bunch of different tickets, each one for a separate transit system, each one needing reloading at a different ticket vending machine terminal.
The Twin Cities public transit system offers the Go-To Card with NFC technology as well. It looks like there's even an Android app called FareBot that works with the Clipper Card and a few other NFC enabled transit cards. If the rumors of NFC coming to iPhone 6 pan out then there'll certainly be some options on iOS to follow.
"- Your iPhone establishes a secure connection with Apple. Utilizing the encryption performance (800% faster than previous processors) of the 64bit A7 a very complex encrypted connection can be made. It should be noted that POS terminals often use ARM processors, but add a separate encryption processor to handle the math.
- All that gets sent to Apple is an identifier of which device is calling in, the merchant ID and price, and a token to identify which CC card to use.
...
- Your iPhone sends this string to the merchant."
These would likely be the exploitable steps. Giving the purchaser that much of a crucial role in the transfer of data is a major drawback. Your system relies on the iPhone sending data to Apple and then the iPhone sending data to the merchant. These two processes give room for a hacker to make changes to what is being sent in order to exploit the system. As a merchant I would be hesitant to agree to a payment system which used the customer as the middle man in such a manner.
You gave a generic possibility, which isn't good enough. What exactly is the hacker going to exploit simply by looking at some BT data that lacks any personal information or credit card numbers?
Let's say they write a custom App to send false data to the merchant to "fool" them that it's an authorized purchase by "cloning" an Apple server response.
- How do they "fool" the merchant by creating a matching reference that also arrives from Apple on their own "normal" Internet connection? Are they going to send data down the BT connection AND the store's own Internet connection? Will they hack the store's physical Internet connection as well?
- How do they create a "string" that when decoded using the merchants key (which is permanently burned into their terminal and isn't known to anyone except Apple) produces data the merchant expects?
Or let's say they write an App that tries to fool Apple into thinking it's actually your iPhone making the request instead of an iPhone that's been hacked to "pretend" to be your device.
- How do they get access to data from your device when they don't have physical access to it? Or put another way, how do they "clone" your device ID so they can try to fool Apple into thinking it's you that's connecting?
- What would Apple's servers do when they realize that two devices are "online" at the same time with the same ID? That would be an instant "lock" to any mobile payments by Apple.
The big difference between my suggestion and current systems is that my idea never transmits any actual card data or personal information. All existing POS systems do just that. And that's what the criminals are after - credit card numbers.
BT can still be used for additional features, like finding what are essentially iBeacons in your scenario, but that doesn't mean a wireless technology with a 10 meter radius is a better option than 10 centimeter range on a technology designed with a secure loop.
Again, using NFC doesn't mean that BT can't be used as an assist for the less secure part of the transaction.
These technologies work very differently so it's irreverent to whatever PoS system may be in place. Would you be OK with WiFi being used over this system you envision? I wouldn't be. BT is more secure because it's more limiting in range and NFC limits this down to a near impossibility thus making it the best option for a secure wireless transfer of protected data between two points.
Just because Google and other Android-based vendors jumped on NFC before Apple doesn't mean we need to trash the technology.
Because current Apple devices don't have NFC. That means that only brand-new iPhones could be used, which severely limits the potential number of users.
I wouldn't worry about WiFi or any other wireless simply because there's no personal data being transferred. If it was actual credit card data then I wouldn't trust WiFi, BT or even NFC.
Here in Vancouver criminals were replacing POS terminals with modified terminals that still worked normally. However they were modified to collect card data. It's a sophisticated scam for sure, but imagine how much easier this would be with NFC? Instead of actually having to modify a terminal (and its internal software) you would only require a very tiny receiver mounted to the POS device which could record all NFC transactions.
It's not about the wireless system - it's about the type of data being transferred. Time will tell, but I firmly believe Apple will process its own payments and they'll do it with a system that never actually transfers any personal data to merchants.
Because current Apple devices don't have NFC. That means that only brand-new iPhones could be used, which severely limits the potential number of users.
That logic implies never introducing a new technology because older devices won't yet have it. How many iDevices in use today don't have access to Siri? How many don't have access to BT 4.0? How many won't have Touch ID in two years? It's a problem that corrects itself in short order.
I wouldn't worry about WiFi or any other wireless simply because there's no personal data being transferred. If it was actual credit card data then I wouldn't trust WiFi, BT or even NFC.
Something has to be transmitted to verify the accounts on the devices for the transaction to talk place. This means that when you a wireless tech that is using an omnidirectional signal going dozens of feet with BT or hundreds of feet with WiFi that it's possible to do a MitM attack. NFC makes this a near impossibility.
Whether Apple uses it or not is a completely different issue, but there is no argument that reasonable shows that WiFI and BT are more secure wireless mediums than NFC. We're talking about secure loop that is less than 4". it's the difference between having a 3-digit PIN v. a 20-digit PIN that also requires a key on your wall safe. None can't be broken into but one is designed to be more secure.
...but imagine how much easier this would be with NFC?
I'm not sure you're understanding what NFC is if you think that NFC is somehow less secure than BT in this scenario. I don't even know where to begin with the phrase "NFC transactions" as it can be the exact same payload as any "BT transaction" excel that we're talking about a less than 4" secure loop as opposed to a 32 foot omnidirectional signal.
Reading about how much security is baked into Touch ID that guards against software hacks, and then seeing how the feature is only used to unlock the phone and authenticated iTunes purchases, it makes sense that mobile payments would tie into this. From a customer service standpoint, Apple already has infrastructure setup to handle mobile payments. They have credit cards on file, live support for fraudulent/accidental charges, etc.
Listening to Steve Gibson on his security podcast, he detailed out how the level of security that Apple has built into iOS is only possible because it's a closed system. This is probably why Apple has not opened Touch ID up to third party apps. Apple has already proven that their closed loop is very secure, so it will be interesting to see if that level of security is maintained if they move mobile payment options over to retail stores. If anything, Apple takes a very cautious approach when it comes to security.
Compare this with how Samsung immediately opened up its fingerprint reader to third parties and has partnered with Paypal to use the fingerprint reader for financial transactions. The mystery with Samsung's implementation is how they secure the fingerprint data from software hacks. Touch ID uses multiple security steps, such as requiring passcode entry and purging the encryption keys after a reboot, and using matched identifiers for the A7 SoC and the Touch ID unit.
Quote:
Originally Posted by Ireland
Just because it look them that long to include Siri doesn't meant it wasn't ready. And Siri is still in beta so it's not a great analogy. Touch ID was a very fast turn around and helped lay the groundwork for authenticating payments via your fingerprint for ease of use.
The beta tag was quietly removed from Siri when iOS 7 came out.
For now, I think Touch ID's greatest strength is its ease of use. It has limited utility at the moment, but it's also highly secure (the purported hack that came out last year requires a lot of steps, and after a few unsuccessful tries requires a passcode) and the ease of use means that more users will secure their phones in the first place. Indeed, it does lay out the ground work for a secure and easy to use mobile payment setup in which Apple authorizes and bills out the transactions. This would eliminate the need for multiple IDs and having to setup fingerprint authentication for multiple vendors.
You gave a generic possibility, which isn't good enough. What exactly is the hacker going to exploit simply by looking at some BT data that lacks any personal information or credit card numbers?
Let's say they write a custom App to send false data to the merchant to "fool" them that it's an authorized purchase by "cloning" an Apple server response.
- How do they "fool" the merchant by creating a matching reference that also arrives from Apple on their own "normal" Internet connection? Are they going to send data down the BT connection AND the store's own Internet connection? Will they hack the store's physical Internet connection as well?
- How do they create a "string" that when decoded using the merchants key (which is permanently burned into their terminal and isn't known to anyone except Apple) produces data the merchant expects?
Or let's say they write an App that tries to fool Apple into thinking it's actually your iPhone making the request instead of an iPhone that's been hacked to "pretend" to be your device.
- How do they get access to data from your device when they don't have physical access to it? Or put another way, how do they "clone" your device ID so they can try to fool Apple into thinking it's you that's connecting?
- What would Apple's servers do when they realize that two devices are "online" at the same time with the same ID? That would be an instant "lock" to any mobile payments by Apple.
The big difference between my suggestion and current systems is that my idea never transmits any actual card data or personal information. All existing POS systems do just that. And that's what the criminals are after - credit card numbers.
Yes, it was a generic scenario in response to a generic system proposal. If you desire specific details on how to hack your theoretical system you'd need to provide specific details about every step of the process. No system is unbeatable so it's not a knock on you that your proposal could (and would) be beaten. The current systems are beaten everyday. The question becomes, would implementing a new system be such an improvement over the current methods that it justifies the cost of creation, implementation, and maintenance. That's a question that there currently is currently no answer to as there is a lot of research that would need to be done that hasn't been. Your proposal certainly is interesting to think about though.
I'd like to know what god forsaken parts of the world snova has been to.
In much of the third world, including parts of Latin America, the internet and phone are a bit unpredictable. Helps to have cash on hand. More than a few times I've stopped for fuel at the regular station where I frequently fuel up only for them to tell me the CC machine is down. Plus, in Europe mostly they require chip and pin but in resort tourism areas they still take the old fashion mag stripe version. So I understand where snova is coming from. Even in California a lot of services such as gardening, farmer's market or car wash, only accept cash.
They are going to screw this up just like they do everything else that involves working with others... They are going to have some crazy rigid rules which will determine what you can and can't buy with this payment service which will make it cumbersome and basically ruin the experience... Like iPhone with apps such as Amazon... I can't actually purchase a book through the amazon app because Apple insecure chumps that they fear a few customers choosing competition over them and thus ruining the over all experience; making people buy on the web through a web browser before the book will appear on their phone is pathetic... If someone is already an overall amazon customer for books, making it difficult for them to buy books on the iPhone won't make them switch to iBooks it will just give them a bad taste in their mouth and mar the perception of their iPhone experience. This is just one example of course but you get the idea, they hate competition and they don't truly believe their services or products are better because if they did they wouldn't be cowards and ruin customer experience... Oh what's that? You want to buy a an album or movie from best buy? Nope sorry, Apple sells movies and music so those type of purchases aren't available through retailers... you'll have to purchase all your other goods with iTunes and then make a separate purchase just for stuff that are in areas Apple competes in. Meh
They are going to screw this up just like they do everything else that involves working with others...
Like the iTunes Store and the App Store and third party hardware support and accessories and… oh, wait.
They are going to have some crazy rigid rules which will determine what you can and can't buy with this payment service which will make it cumbersome and basically ruin the experience...
So your only complaint would be that you can’t buy Dell computers or Samsung phones through Apple’s payment service.
What idiot would buy a Dell computer or a Samsung phone in the first place?! What on Earth makes you think those companies would even SUPPORT Apple’s payment service?! It’s a moot point.
…they hate competition and they don’t truly believe their services or products are better…
In terms of the cosmos (both the physical realm and the TV show) anything within the scope of humanity endeavors is barely a blip on the radar.
Possibly, but I'm thinking it will be like iBeacons and CarPlay where Apple's devices are better suited but there will be no reason why other OSes won't be able to use the same basic systems that iDevices will need to connect to.
I will also be more shocked if NFC isn't utilized between your iDevice and the retailer's HW. So far there is nothing else that offers a more secure option as NFC's short-range local loop. That doesn't mean BT isn't utilized but the actual exchange needs to be done over something that can't be picked up secretly by any number of people within a 40 foot radius.
NFC and secure should not be used in the same sentence. Anyone with the right device in their pocket can steal payment info from someone nearby foolish enough to brandish and use an NFC-equipped mobile device.
They are going to screw this up just like they do everything else that involves working with others...
I'll let [@]GatorGuy[/@] post the short list of long time partners Apple has. I don't think many companies work with as many others as successfully as Apple.
NFC and secure should not be used in the same sentence. Anyone with the right device in their pocket can steal payment info from someone nearby foolish enough to brandish and use an NFC-equipped mobile device.
Care to explain why NFC is less secure of a medium than BT or WiFi?
It can be easily hacked. Bluetooth can too. Wifi cannot. We're talking "easy" here.
That's not exactly an explanation of how a secure hash stored on an A-series chip that activates the BT and NFC HW after the user chooses to initiate the action which then initiates the secure handshake first over BT and then uses NFC with a range of less than 4" to establish a secure loop that will make the transaction in less than a second and then deactivate the NFC chip (and BT if not currently used for other services) can be compromised as opposed to using, in the case you mention, WiFi which assumes SSL to some publicly accessed router at a retailer's shop.
edit: From Wikipedia:
As with proximity card technology, near-field communication uses magnetic induction between two loop antennas located within each other's near field, effectively forming an air-core transformer.
Theoretical working distance with compact standard antennas: up to 20 cm (practical working distance of about 4 cm)
Why say that's inherently more secure than the omnidirectional WiFI signal that can reach from 50 feet to kilometers if one is using a directional antenna?
Comments
These are not mutually exclusive options. I interchange using my physical Starbucks card and Starbucks card on my phone via PassBook all the time.
Lots of things were complex before Apple found a way to make it less complex. They have a knack for this sort of stuff so I have faith that they aren't likely to have missed some major issues if they do release such a feature.
Likewise, if I go get coffee, then drop by the drugstore, grocery, and public library, why should I have to fish around for four ID cards plus a credit card?
I never carry rewards cards. The cashier can look it up on the computer with your home phone number so you and spouse can both receive rewards on the same account.
I am not against them knowing where and when although I do object to relying on a single entity for all transactions.
These are not mutually exclusive options. I interchange using my physical Starbucks card and Starbucks card on my phone via PassBook all the time.
I meant like big brother. Projecting into the future in regards to my comment about eventually being chipped.
Also in terms of Apple making it easy, I think they need too make compatible with other phones otherwise retailers are going to balk at having multiple payment systems. They all use VISA, MC, AMEX, Discover, JCB, etc with the same terminal right now.
The Twin Cities public transit system offers the Go-To Card with NFC technology as well. It looks like there's even an Android app called FareBot that works with the Clipper Card and a few other NFC enabled transit cards. If the rumors of NFC coming to iPhone 6 pan out then there'll certainly be some options on iOS to follow.
https://play.google.com/store/apps/details?id=com.codebutler.farebot
"- Your iPhone establishes a secure connection with Apple. Utilizing the encryption performance (800% faster than previous processors) of the 64bit A7 a very complex encrypted connection can be made. It should be noted that POS terminals often use ARM processors, but add a separate encryption processor to handle the math.
- All that gets sent to Apple is an identifier of which device is calling in, the merchant ID and price, and a token to identify which CC card to use.
...
- Your iPhone sends this string to the merchant."
These would likely be the exploitable steps. Giving the purchaser that much of a crucial role in the transfer of data is a major drawback. Your system relies on the iPhone sending data to Apple and then the iPhone sending data to the merchant. These two processes give room for a hacker to make changes to what is being sent in order to exploit the system. As a merchant I would be hesitant to agree to a payment system which used the customer as the middle man in such a manner.
You gave a generic possibility, which isn't good enough. What exactly is the hacker going to exploit simply by looking at some BT data that lacks any personal information or credit card numbers?
Let's say they write a custom App to send false data to the merchant to "fool" them that it's an authorized purchase by "cloning" an Apple server response.
- How do they "fool" the merchant by creating a matching reference that also arrives from Apple on their own "normal" Internet connection? Are they going to send data down the BT connection AND the store's own Internet connection? Will they hack the store's physical Internet connection as well?
- How do they create a "string" that when decoded using the merchants key (which is permanently burned into their terminal and isn't known to anyone except Apple) produces data the merchant expects?
Or let's say they write an App that tries to fool Apple into thinking it's actually your iPhone making the request instead of an iPhone that's been hacked to "pretend" to be your device.
- How do they get access to data from your device when they don't have physical access to it? Or put another way, how do they "clone" your device ID so they can try to fool Apple into thinking it's you that's connecting?
- What would Apple's servers do when they realize that two devices are "online" at the same time with the same ID? That would be an instant "lock" to any mobile payments by Apple.
The big difference between my suggestion and current systems is that my idea never transmits any actual card data or personal information. All existing POS systems do just that. And that's what the criminals are after - credit card numbers.
I'd like to know what god forsaken parts of the world snova has been to.
BT can still be used for additional features, like finding what are essentially iBeacons in your scenario, but that doesn't mean a wireless technology with a 10 meter radius is a better option than 10 centimeter range on a technology designed with a secure loop.
Again, using NFC doesn't mean that BT can't be used as an assist for the less secure part of the transaction.
These technologies work very differently so it's irreverent to whatever PoS system may be in place. Would you be OK with WiFi being used over this system you envision? I wouldn't be. BT is more secure because it's more limiting in range and NFC limits this down to a near impossibility thus making it the best option for a secure wireless transfer of protected data between two points.
Just because Google and other Android-based vendors jumped on NFC before Apple doesn't mean we need to trash the technology.
Because current Apple devices don't have NFC. That means that only brand-new iPhones could be used, which severely limits the potential number of users.
I wouldn't worry about WiFi or any other wireless simply because there's no personal data being transferred. If it was actual credit card data then I wouldn't trust WiFi, BT or even NFC.
Here in Vancouver criminals were replacing POS terminals with modified terminals that still worked normally. However they were modified to collect card data. It's a sophisticated scam for sure, but imagine how much easier this would be with NFC? Instead of actually having to modify a terminal (and its internal software) you would only require a very tiny receiver mounted to the POS device which could record all NFC transactions.
It's not about the wireless system - it's about the type of data being transferred. Time will tell, but I firmly believe Apple will process its own payments and they'll do it with a system that never actually transfers any personal data to merchants.
That logic implies never introducing a new technology because older devices won't yet have it. How many iDevices in use today don't have access to Siri? How many don't have access to BT 4.0? How many won't have Touch ID in two years? It's a problem that corrects itself in short order.
Something has to be transmitted to verify the accounts on the devices for the transaction to talk place. This means that when you a wireless tech that is using an omnidirectional signal going dozens of feet with BT or hundreds of feet with WiFi that it's possible to do a MitM attack. NFC makes this a near impossibility.
Whether Apple uses it or not is a completely different issue, but there is no argument that reasonable shows that WiFI and BT are more secure wireless mediums than NFC. We're talking about secure loop that is less than 4". it's the difference between having a 3-digit PIN v. a 20-digit PIN that also requires a key on your wall safe. None can't be broken into but one is designed to be more secure.
I'm not sure you're understanding what NFC is if you think that NFC is somehow less secure than BT in this scenario. I don't even know where to begin with the phrase "NFC transactions" as it can be the exact same payload as any "BT transaction" excel that we're talking about a less than 4" secure loop as opposed to a 32 foot omnidirectional signal.
Reading about how much security is baked into Touch ID that guards against software hacks, and then seeing how the feature is only used to unlock the phone and authenticated iTunes purchases, it makes sense that mobile payments would tie into this. From a customer service standpoint, Apple already has infrastructure setup to handle mobile payments. They have credit cards on file, live support for fraudulent/accidental charges, etc.
Listening to Steve Gibson on his security podcast, he detailed out how the level of security that Apple has built into iOS is only possible because it's a closed system. This is probably why Apple has not opened Touch ID up to third party apps. Apple has already proven that their closed loop is very secure, so it will be interesting to see if that level of security is maintained if they move mobile payment options over to retail stores. If anything, Apple takes a very cautious approach when it comes to security.
Compare this with how Samsung immediately opened up its fingerprint reader to third parties and has partnered with Paypal to use the fingerprint reader for financial transactions. The mystery with Samsung's implementation is how they secure the fingerprint data from software hacks. Touch ID uses multiple security steps, such as requiring passcode entry and purging the encryption keys after a reboot, and using matched identifiers for the A7 SoC and the Touch ID unit.
Quote:
Just because it look them that long to include Siri doesn't meant it wasn't ready. And Siri is still in beta so it's not a great analogy. Touch ID was a very fast turn around and helped lay the groundwork for authenticating payments via your fingerprint for ease of use.
The beta tag was quietly removed from Siri when iOS 7 came out.
For now, I think Touch ID's greatest strength is its ease of use. It has limited utility at the moment, but it's also highly secure (the purported hack that came out last year requires a lot of steps, and after a few unsuccessful tries requires a passcode) and the ease of use means that more users will secure their phones in the first place. Indeed, it does lay out the ground work for a secure and easy to use mobile payment setup in which Apple authorizes and bills out the transactions. This would eliminate the need for multiple IDs and having to setup fingerprint authentication for multiple vendors.
You gave a generic possibility, which isn't good enough. What exactly is the hacker going to exploit simply by looking at some BT data that lacks any personal information or credit card numbers?
Let's say they write a custom App to send false data to the merchant to "fool" them that it's an authorized purchase by "cloning" an Apple server response.
- How do they "fool" the merchant by creating a matching reference that also arrives from Apple on their own "normal" Internet connection? Are they going to send data down the BT connection AND the store's own Internet connection? Will they hack the store's physical Internet connection as well?
- How do they create a "string" that when decoded using the merchants key (which is permanently burned into their terminal and isn't known to anyone except Apple) produces data the merchant expects?
Or let's say they write an App that tries to fool Apple into thinking it's actually your iPhone making the request instead of an iPhone that's been hacked to "pretend" to be your device.
- How do they get access to data from your device when they don't have physical access to it? Or put another way, how do they "clone" your device ID so they can try to fool Apple into thinking it's you that's connecting?
- What would Apple's servers do when they realize that two devices are "online" at the same time with the same ID? That would be an instant "lock" to any mobile payments by Apple.
The big difference between my suggestion and current systems is that my idea never transmits any actual card data or personal information. All existing POS systems do just that. And that's what the criminals are after - credit card numbers.
Yes, it was a generic scenario in response to a generic system proposal. If you desire specific details on how to hack your theoretical system you'd need to provide specific details about every step of the process. No system is unbeatable so it's not a knock on you that your proposal could (and would) be beaten. The current systems are beaten everyday. The question becomes, would implementing a new system be such an improvement over the current methods that it justifies the cost of creation, implementation, and maintenance. That's a question that there currently is currently no answer to as there is a lot of research that would need to be done that hasn't been. Your proposal certainly is interesting to think about though.
I'd like to know what god forsaken parts of the world snova has been to.
In much of the third world, including parts of Latin America, the internet and phone are a bit unpredictable. Helps to have cash on hand. More than a few times I've stopped for fuel at the regular station where I frequently fuel up only for them to tell me the CC machine is down. Plus, in Europe mostly they require chip and pin but in resort tourism areas they still take the old fashion mag stripe version. So I understand where snova is coming from. Even in California a lot of services such as gardening, farmer's market or car wash, only accept cash.
Like the iTunes Store and the App Store and third party hardware support and accessories and… oh, wait.
So your only complaint would be that you can’t buy Dell computers or Samsung phones through Apple’s payment service.
What idiot would buy a Dell computer or a Samsung phone in the first place?! What on Earth makes you think those companies would even SUPPORT Apple’s payment service?! It’s a moot point.
Just shut up and go away.
NFC and secure should not be used in the same sentence. Anyone with the right device in their pocket can steal payment info from someone nearby foolish enough to brandish and use an NFC-equipped mobile device.
I'll let [@]GatorGuy[/@] post the short list of long time partners Apple has. I don't think many companies work with as many others as successfully as Apple.
Care to explain why NFC is less secure of a medium than BT or WiFi?
This has to stop. TouchID IS ABOUT CONVENIENCE. NOT SECURITY.
TouchID requires a pass code backup to even use. TouchID is NO more secure than the passcode that backs it.
So can we please stop the charade that TouchID is "secure" or "highly secure".
It's merely an impenetrable natural alternative to entering your own password all day long. And it's great at it.
It can be easily hacked. Bluetooth can too. Wifi cannot. We're talking "easy" here.
That's not much of a explanation.
That's not exactly an explanation of how a secure hash stored on an A-series chip that activates the BT and NFC HW after the user chooses to initiate the action which then initiates the secure handshake first over BT and then uses NFC with a range of less than 4" to establish a secure loop that will make the transaction in less than a second and then deactivate the NFC chip (and BT if not currently used for other services) can be compromised as opposed to using, in the case you mention, WiFi which assumes SSL to some publicly accessed router at a retailer's shop.
edit: From Wikipedia:
Why say that's inherently more secure than the omnidirectional WiFI signal that can reach from 50 feet to kilometers if one is using a directional antenna?