Agree. The more security for everybody, the better.
On the other hand, I'm sure Apple has all manner of patents on TouchID and Secure Element.
Those are the two crucial user-facing hardware technologies.
1) The Secure Element is built into the NFC chip. That isn't something Apple controls and has existed well before the iPhone 6 series.
2) The Touch ID biometric is a wonderful convenience, but it's not necessary for ?Pay (and all other NFC-based payments) since you can still authenticate using a PIN/passcode.
3) I wonder what patents Apple has with ?Pay's end-to-end solutions. With the bank it's basically an additional card tied to your account. I'd think that's more along the lines of a contract that would prevent banks from inking deals with others right now. In fact, if I were wanting to set this up I'd challenge Apple if they had a patent specifically for a representational number to be associated with my account as I know that's already been available with multiple cards on an account, albeit in a slightly different manner, but I'd say it's essential for security in a digital age, so at most I'd say such a patent would have to be under FRAND.
Google still has no answer to TouchID. Face-unlock, proximity unlock, device-paired unlock are all technically insecure and full of weird exception cases compared to fingerprint-based ID.
Perhaps Samsung might get closer with their recent fingerprint company acquisition, but Google's ecosystem can't compete with Apple's HW integration here. And Samsung's integration will likely run into issues - a coworker told me his new snazzy fingerprint reader on his Galaxy S5 was disabled when he joined our workplace's Exchange server (likely some policy, but really?)... what user can take that seriously?
And I expect TouchID to go far - perhaps defining Apple's HW leadership much like "unibody" or "multi-touch" which left their competition in the dust.
"Bigger differences showed up in security. Softcard uses 10 of 13 security measures we examined—more than its rivals–giving it the best score. For example, though all of the mobile wallets use encrypted storage for sensitive data and require a PIN to unlock the wallet, Google and Loop let you turn off the wallet-lock timer. That makes it easier to pay at the check-out, but it also leaves the wallet open to unauthorized charges if you lose it or leave it unattended. On the other hand, Google and Softcard let you remotely disable the wallet if it's lost or stolen.
Apple Pay offers improved security, particularly with its Touch ID fingerprint authentication, that can take the place of a PIN to unlock the phone and wallet. That's important, because users soon tire of having to constantly punch in a PIN and surrender to the temptation to disable the auto locks altogether. The convenience of Touch ID should boost security, even though it can be disabled for the phone and Apple Pay.
Apple Pay also provides great security by generating a unique code or "token" for each transaction, which can't be re-used, and by storing "device account numbers" on the phone's encrypted chip, in place of your actual payment card account numbers. Even if a hacker gets those numbers, they can't be used outside of Apple Pay.
But Google Wallet and Softcard also use dynamic transaction tokens, and Google generates and stores "virtual card" substitutes for your real payment card numbers. So Apple Pay tokenization is not the innovation it's been tricked out to be. LoopPay says it will have tokenization in 2015.
All four wallets also check to make sure that the card properly belongs to the owner of the phone and virtual wallet, to prevent crooks from adding your card to their wallet."
That CR article has already been debunked. They're using ridiculous criteria to make up their "list" while ignoring more important features. There's NO WAY IN HELL anyone could ever come to the conclusion Apple Pay is less secure than LoopPay, Wallet or Softcard. Even worse, several items on their security list don't exist in Apple Pay because of how it works. So Apple Pay can't get a point for something stupid like "need password and PIN to access credentials" since there's NOTHING stored on your phone in the first place.
BTW, welcome to the block list. Only took you two posts.
There is some evidence to suggest that isn't where it's stored. If the device has NFC I see no reason why it's not stored on the NFC's Secure Element.
I was less interested in the secure element end and rather on the transmittal of the credit card information to the POS vendor, as that's where the big breaches occur: within the store's systems.
And of course, it's that very loss of consumer identity and information that compels vendors to resist the full anonymity of tokensization. They'll add the convenience of digital pay systems but they want that consumer information.
Nothing about Softcard but Google Wallet on tokenization which I already knew. Google tokenization is authenticated by PIN, which can be intercepted and used outside of the app. That's another vulnerability for Google Wallet.
If PIN were less secure than fingerprint for authentication, then why does Apple make TouchID subordinate to a PIN? iOS will trust your PIN but not your fingerprint in certain situations, such as after 48 hours of idle time or right after boot. However there are no situations where the reverse is true.
If PIN were less secure than fingerprint for authentication, then why does Apple make TouchID subordinate to a PIN? iOS will trust your PIN but not your fingerprint in certain situations, such as after 48 hours of idle time or right after boot. However there are no situations where the reverse is true.
Or if your Touch ID authentication fails too many consecutive times.
Google offered a secure element integrated with the NFC chip a'la ApplePay several years ago. The carriers blocked it since they were planning their own mobile pay solution. In essence the carriers took away Google's first choice for mobile payment security. As I read about it Google spent a couple of years working to bypass the block. So along comes ApplePay breaking the blockade. Kudos.
So it's not so much Google being caught with their pants down as carrier greed interfering. With the carriers unlikely to continue blocking the NFC-embedded secure element I'll be surprised if Google doesn't go back to it, but who knows but Google. They sometimes do odd stuff.
Once again Google shows it cares more about its real customers (advertisers) than its end users.
I don't think it is an exclusive as much as it reflects a level of effort and time that Google did not attempt.
Well everything is a beta. An experiment. Google is exploring. Learning. But once Apple shows the way forward, it's about "competing with Apple" because as the trolls always say: "Google Apple needs competition."
1) The Secure Element is built into the NFC chip. That isn't something Apple controls and has existed well before the iPhone 6 series.
2) The Touch ID biometric is a wonderful convenience, but it's not necessary for ?Pay (and all other NFC-based payments) since you can still authenticate using a PIN/passcode.
3) I wonder what patents Apple has with ?Pay's end-to-end solutions. With the bank it's basically an additional card tied to your account. I'd think that's more along the lines of a contract that would prevent banks from inking deals with others right now. In fact, if I were wanting to set this up I'd challenge Apple if they had a patent specifically for a representational number to be associated with my account as I know that's already been available with multiple cards on an account, albeit in a slightly different manner, but I'd say it's essential for security in a digital age, so at most I'd say such a patent would have to be under FRAND.
I think you are over simplifying a lot here. The secure element of touch ID is incorporated into Apple's A7 and later chips not in the NFC chip. If touch ID is not necessary for ?Pay then why is ?Pay limited only to Apple products that have touch ID? I don't think FRAND applies at this point as Apple hasn't applied for nor submitted touch ID for FRAND approval/acceptance and there is plenty of alternatives (not as good or secure, imo) out already and more being announced weekly and I believe FRAND has to be applied for on a voluntary basis and isn't a standard forced on anyone.
If PIN were less secure than fingerprint for authentication, then why does Apple make TouchID subordinate to a PIN? iOS will trust your PIN but not your fingerprint in certain situations, such as after 48 hours of idle time or right after boot. However there are no situations where the reverse is true.
Because people would normally use Touch ID to unlock their phone and ONLY use the PIN under certain circumstances (like dirty hands, wet fingers, wearing gloves or something that would prevent Touch ID from working). That makes it very difficult for a crook to intercept (such as by using a camera in a store to record you entering a PIN or a crook looking over your shoulder) since it's not something you use all the time to unlock/authorize.
Google is a payment processor for Wallet. Google has your CC information as well as full transaction history.
Wallet is not a full tokenized solution going all the way back to the bank. Google has setup nothing with the banks like Apple has.
Well how do you expect Google to spy on everything you do if Google didn't set it up like they did?. This way that can track what you buy, how much you paid and from who. Ask valuable data. They are involved fact the middle man. Apple gets none of that data.
I think you are over simplifying a lot here. The secure element of touch ID is incorporated into Apple's A7 and later chips not in the NFC chip. If touch ID is not necessary for ?Pay then why is ?Pay limited only to Apple products that have touch ID? I don't think FRAND applies at this point as Apple hasn't applied for nor submitted touch ID for FRAND approval/acceptance and there is plenty of alternatives (not as good or secure, imo) out already and more being announced weekly and I believe FRAND has to be applied for on a voluntary basis and isn't a standard forced on anyone.
The secure element has nothing to do with touch id.
Comments
What's the point. Android users don't have money, and don't buy goods. They forage through bins and spend their welfare money on weed.
1) The Secure Element is built into the NFC chip. That isn't something Apple controls and has existed well before the iPhone 6 series.
2) The Touch ID biometric is a wonderful convenience, but it's not necessary for ?Pay (and all other NFC-based payments) since you can still authenticate using a PIN/passcode.
3) I wonder what patents Apple has with ?Pay's end-to-end solutions. With the bank it's basically an additional card tied to your account. I'd think that's more along the lines of a contract that would prevent banks from inking deals with others right now. In fact, if I were wanting to set this up I'd challenge Apple if they had a patent specifically for a representational number to be associated with my account as I know that's already been available with multiple cards on an account, albeit in a slightly different manner, but I'd say it's essential for security in a digital age, so at most I'd say such a patent would have to be under FRAND.
"credit card data is stored on a user's SIM card and transmitted to a POS terminal for processing."
So, in this age of increasing security awareness?
Dead.
On.
Arrival
Google still has no answer to TouchID. Face-unlock, proximity unlock, device-paired unlock are all technically insecure and full of weird exception cases compared to fingerprint-based ID.
Perhaps Samsung might get closer with their recent fingerprint company acquisition, but Google's ecosystem can't compete with Apple's HW integration here. And Samsung's integration will likely run into issues - a coworker told me his new snazzy fingerprint reader on his Galaxy S5 was disabled when he joined our workplace's Exchange server (likely some policy, but really?)... what user can take that seriously?
And I expect TouchID to go far - perhaps defining Apple's HW leadership much like "unibody" or "multi-touch" which left their competition in the dust.
I would kill for a TouchID MBP.
There is some evidence to suggest that isn't where it's stored. If the device has NFC I see no reason why it's not stored on the NFC's Secure Element.
Google search will bring number of references. One of the less technical is Consumer Reports which has accurate information: http://www.consumerreports.org/cro/news/2014/09/virtual-wallet-review-apple-pay-google-wallet-softcard-and-loop-wallet/index.htm:
"Bigger differences showed up in security. Softcard uses 10 of 13 security measures we examined—more than its rivals–giving it the best score. For example, though all of the mobile wallets use encrypted storage for sensitive data and require a PIN to unlock the wallet, Google and Loop let you turn off the wallet-lock timer. That makes it easier to pay at the check-out, but it also leaves the wallet open to unauthorized charges if you lose it or leave it unattended. On the other hand, Google and Softcard let you remotely disable the wallet if it's lost or stolen.
Apple Pay offers improved security, particularly with its Touch ID fingerprint authentication, that can take the place of a PIN to unlock the phone and wallet. That's important, because users soon tire of having to constantly punch in a PIN and surrender to the temptation to disable the auto locks altogether. The convenience of Touch ID should boost security, even though it can be disabled for the phone and Apple Pay.
Apple Pay also provides great security by generating a unique code or "token" for each transaction, which can't be re-used, and by storing "device account numbers" on the phone's encrypted chip, in place of your actual payment card account numbers. Even if a hacker gets those numbers, they can't be used outside of Apple Pay.
But Google Wallet and Softcard also use dynamic transaction tokens, and Google generates and stores "virtual card" substitutes for your real payment card numbers. So Apple Pay tokenization is not the innovation it's been tricked out to be. LoopPay says it will have tokenization in 2015.
All four wallets also check to make sure that the card properly belongs to the owner of the phone and virtual wallet, to prevent crooks from adding your card to their wallet."
That CR article has already been debunked. They're using ridiculous criteria to make up their "list" while ignoring more important features. There's NO WAY IN HELL anyone could ever come to the conclusion Apple Pay is less secure than LoopPay, Wallet or Softcard. Even worse, several items on their security list don't exist in Apple Pay because of how it works. So Apple Pay can't get a point for something stupid like "need password and PIN to access credentials" since there's NOTHING stored on your phone in the first place.
BTW, welcome to the block list. Only took you two posts.
There is some evidence to suggest that isn't where it's stored. If the device has NFC I see no reason why it's not stored on the NFC's Secure Element.
I was less interested in the secure element end and rather on the transmittal of the credit card information to the POS vendor, as that's where the big breaches occur: within the store's systems.
And of course, it's that very loss of consumer identity and information that compels vendors to resist the full anonymity of tokensization. They'll add the convenience of digital pay systems but they want that consumer information.
What's the point. Android users don't have money, and don't buy goods. They forage through bins and spend their welfare money on weed.
LOL
Such a stereotype and so true at the same time.
Every android guy I know IRL is always saying "look what my droid can do" and my inevitable response is "why would you want it to?"
???????????? Google and Samsung - the original "Monkey see, Monkey Do" companies, i.e., a couple of freankin' monkeys!
Nothing about Softcard but Google Wallet on tokenization which I already knew. Google tokenization is authenticated by PIN, which can be intercepted and used outside of the app. That's another vulnerability for Google Wallet.
If PIN were less secure than fingerprint for authentication, then why does Apple make TouchID subordinate to a PIN? iOS will trust your PIN but not your fingerprint in certain situations, such as after 48 hours of idle time or right after boot. However there are no situations where the reverse is true.
Or if your Touch ID authentication fails too many consecutive times.
That CR article has already been debunked.
Link please. Thx
Once again Google shows it cares more about its real customers (advertisers) than its end users.
Google keeps transaction data on their servers. Softcard is even worse.
It is just crap raised to the crap power.
The only thing Google gets is to hopefully stop PayPal from suing them further for stealing PayPal technology.
Oh, they're doing it to you too, but you just haven't figured out how.
If a customer is someone who pays for a product or service, then yeah: Advertisers. I'm sure Google worshippers will disagree with me.
Well everything is a beta. An experiment. Google is exploring. Learning. But once Apple shows the way forward, it's about "competing with Apple" because as the trolls always say: "
GoogleApple needs competition."2) The Touch ID biometric is a wonderful convenience, but it's not necessary for ?Pay (and all other NFC-based payments) since you can still authenticate using a PIN/passcode.
3) I wonder what patents Apple has with ?Pay's end-to-end solutions. With the bank it's basically an additional card tied to your account. I'd think that's more along the lines of a contract that would prevent banks from inking deals with others right now. In fact, if I were wanting to set this up I'd challenge Apple if they had a patent specifically for a representational number to be associated with my account as I know that's already been available with multiple cards on an account, albeit in a slightly different manner, but I'd say it's essential for security in a digital age, so at most I'd say such a patent would have to be under FRAND.
I think you are over simplifying a lot here. The secure element of touch ID is incorporated into Apple's A7 and later chips not in the NFC chip. If touch ID is not necessary for ?Pay then why is ?Pay limited only to Apple products that have touch ID? I don't think FRAND applies at this point as Apple hasn't applied for nor submitted touch ID for FRAND approval/acceptance and there is plenty of alternatives (not as good or secure, imo) out already and more being announced weekly and I believe FRAND has to be applied for on a voluntary basis and isn't a standard forced on anyone.
If PIN were less secure than fingerprint for authentication, then why does Apple make TouchID subordinate to a PIN? iOS will trust your PIN but not your fingerprint in certain situations, such as after 48 hours of idle time or right after boot. However there are no situations where the reverse is true.
Because people would normally use Touch ID to unlock their phone and ONLY use the PIN under certain circumstances (like dirty hands, wet fingers, wearing gloves or something that would prevent Touch ID from working). That makes it very difficult for a crook to intercept (such as by using a camera in a store to record you entering a PIN or a crook looking over your shoulder) since it's not something you use all the time to unlock/authorize.
Well how do you expect Google to spy on everything you do if Google didn't set it up like they did?. This way that can track what you buy, how much you paid and from who. Ask valuable data. They are involved fact the middle man. Apple gets none of that data.
I think you are over simplifying a lot here. The secure element of touch ID is incorporated into Apple's A7 and later chips not in the NFC chip. If touch ID is not necessary for ?Pay then why is ?Pay limited only to Apple products that have touch ID? I don't think FRAND applies at this point as Apple hasn't applied for nor submitted touch ID for FRAND approval/acceptance and there is plenty of alternatives (not as good or secure, imo) out already and more being announced weekly and I believe FRAND has to be applied for on a voluntary basis and isn't a standard forced on anyone.
The secure element has nothing to do with touch id.