Apple says potential EU Apple Pay rules threaten security, stifle innovation

2»

Comments

  • Reply 21 of 35


    gc_uk said:
    It would be obvious that Apple’s own code calls a defined API. Why is it such a big deal to open up the API to other vendors?
    You want us to revert now to an unprotected OS where any app can call any OS function? We've already had this in the 1980s, it was called DOS. I loved DOS at the time, but now we have new features called "security" and "privacy" which requires protected OS functions. DOS is gone forever.
    My man, that has nothing to do with an open OS either.  You don't seem to know what's going on at all.
    As above, you simply disagree without justifying anything. That's no help to anyone, including me. I'm humble enough to admit I'm wrong if evidence is provided, but you have provided nothing. Teach me. 

    In this case he said "Why shouldn't Apple open up its APIs to everyone else." I simply provided a reason, which is a valid reason. He didn't say which APIs.
    williamlondonjdb8167watto_cobra
  • Reply 22 of 35
    If I'm wrong I want to know why. Unfortunately you contributed nothing because you gave no explanation at all. You said everything I said was wrong. How does that help? Say something useful or say nothing at all.
    I’m not an expert on this nfc process, however from reading the article you linked to I can make a guess as to where your mistaken. 

    It doesn’t seem like the banks would need their data on the Secure Enclave. (Nor would they need “physical space”) the article describes how the “controller routes directly to the NFC”

    So the process is using something like an MVC framework. The data lives on the enclave - the app calls it, the controller passes it directly to NFC. So the banks don’t need data on the Secure Enclave, they just need to access it. 

    It’s possible that this is what apple is referring to as the security risk - it could give access to Secure Enclave calls that apple doesn’t want to be abused. 
    edited September 2020
  • Reply 23 of 35
    Rayz2016Rayz2016 Posts: 6,957member
    gc_uk said:
    Is this the same as Apple fighting against not including power adaptors when it’s not necessary?

    It would be obvious that Apple’s own code calls a defined API. Why is it such a big deal to open up the API to other vendors?

    Not sure what power adapters has to do with anything. This is a security issue, power adapters are a green issue.

    Apple does of course have their own API, but it is firewalls behind other elements that make sure that authentication has taken place before Apple kicks off the NFC.

    What the EU, in their finite wisdom, is looking at is allowing direct access to the NFC hardware, so the banks can implement their own banking solutions and their own NFC security protocols. 

    22july2013 said:If I'm wrong I want to know why. Unfortunately you contributed nothing because you gave no explanation at all. You said everything I said was wrong. How does that help? Say something useful or say nothing at all.
    Not really sure why you're being ridiculed to be honest; your assessment isn't far off from what appears to be happening.

    Secure Element

    The Secure Element hosts a specially designed applet to manage Apple Pay. It also includes applets certified by payment networks or card issuers. Credit, debit, or prepaid card data is sent from the payment network or card issuer encrypted to these applets using keys that are known only to the payment network or card issuer and the applets’ security domain. This data is stored within these applets and protected using the Secure Element’s security features. During a transaction, the terminal communicates directly with the Secure Element through the Near Field Communication (NFC) controller over a dedicated hardware bus.

    NFC controller
    As the gateway to the Secure Element, the NFC controller ensures that all contactless payment transactions are conducted using a point-of-sale terminal that is in close proximity with the device. Only payment requests arriving from an in-field terminal are marked by the NFC controller as contactless transactions.
    After a credit, debit, or prepaid card (including store cards) payment is authorized by the cardholder using Touch ID, Face ID, or a passcode, or on an unlocked Apple Watch by double-clicking the side button, contactless responses prepared by the payment applets within the Secure Element are exclusively routed by the controller to the NFC field. Consequently, payment authorization details for contactless payment transactions are contained to the local NFC field and are never exposed to the application processor. In contrast, payment authorization details for payments within apps and on the web are routed to the application processor, but only after encryption by the Secure Element to the Apple Pay server.
    Each issuer/network requires an applet in the Secure Element. At a guess, I'd say that the Secure Element isn't worried so much about the card issuers (the banks) as the payment networks (Visa, MasterCard, American Express, Discover … can't think of any more off the top of my head).

    In any case, there is already a mechanism in place for the banks to implement their own 'solution' and add their own token to the Secure Element and their own virtual card to the wallet. We know this is already possible because it's the same mechanism the car manufacturers are using to unlock cars using the NFC hardware.

    So why can't the banks use this method? Because this is the bit they want to bypass:

    During a transaction, the terminal communicates directly with the Secure Element through the Near Field Communication (NFC) controller over a dedicated hardware bus.

    They want to bypass the Secure Element so their apps can go directly through to the NFC. Why? To be honest I'm not sure, but at a guess I'd say that direct access the NFC without Apple's security framework in between would give them access to other elements of the transaction that they would like to sell to marketing companies.

    In my opinion, you'd be mad to use any banking system that went direct to the NFC without Apple's security mechanism.
    edited September 2020 applguywilliamlondonjdb8167tmayDetnatorwatto_cobra
  • Reply 24 of 35
    avon b7avon b7 Posts: 6,169member
    mcdave said:
    avon b7 said:
    I think it's Apple that doesn't understand at least part of the problem.

    And as things stand, nothing has been approved or formalised.

    The EU stance is clear. Apple shouldn't have any issue with it and it has zero to do with stifling innovation (and innovation cannot come before competition rules anyway).

    Apple has to offer something to reflect its own stance but this statement is very poor.

    If, the EU decides that Apple is restricting competition (and that's a big if) its options are clear and simple. 
    How can you “restrict competition” in a platform that was never opened up to it?  Apple’s claim is upheld as its innovations have demonstrably focussed on quality by restricting quantity of options.

    Competitive practices allege better quality/price but rarely deliver it, or any other user benefit, instead they send markets racing to the bottom in terms of both, resulting in a de facto confidence trick. Funny there’s little legal enforcement for that, almost as if choice buys impunity.
    But it did open up to it. That is the whole point of the investigation. The platform moved into the bank processing payment world. It also moved into processing app payment processing and delivery. The second you put a tentacle somewhere that involves exterior factors beyond your platform you run the risk of these kinds of investigations.

    Apple isn't providing Apple Pay for the customer. It's doing it for the money. Money that comes from banks that have nothing to do with the platform. 
  • Reply 25 of 35
    gc_uk said:
    It would be obvious that Apple’s own code calls a defined API. Why is it such a big deal to open up the API to other vendors?
    You want us to revert now to an unprotected OS where any app can call any OS function? We've already had this in the 1980s, it was called DOS. I loved DOS at the time, but now we have new features called "security" and "privacy" which requires protected OS functions. DOS is gone forever.
    Where did I say that?
    williamlondon
  • Reply 26 of 35
    hriw-annon@xs4all.nl[email protected] Posts: 61unconfirmed, member
    NFC is crusty old tech.
    Ars Technica had an article in 2013 complaining about years of NFC hype while nothing happened. 
    Banks just recently caught up with 2010 and started using NFC. Banks love crusty old tech.
    Apple never liked it, but if they want to play in mobile payments, which they do, they need to go with old tech the banks can handle.
    If Apple is forced to keep supporting NFC at the low levels banks want access to, they will be stuck with it longer and their options for moving forward will be restricted.
    That is what they mean by stifling innovation.

    williamlondonjdb8167watto_cobra
  • Reply 27 of 35
    crowleycrowley Posts: 10,034member
    NFC is crusty old tech.
    Ars Technica had an article in 2013 complaining about years of NFC hype while nothing happened. 
    Banks just recently caught up with 2010 and started using NFC. Banks love crusty old tech.
    Apple never liked it, but if they want to play in mobile payments, which they do, they need to go with old tech the banks can handle.
    If Apple is forced to keep supporting NFC at the low levels banks want access to, they will be stuck with it longer and their options for moving forward will be restricted.
    That is what they mean by stifling innovation.

    What superior tech is there that fulfils the functions of NFC?
    edited September 2020
  • Reply 28 of 35
    razorpitrazorpit Posts: 1,796member
    seanj said:
    Not surprised by this. The EU bureaucracy and it’s supporters are rapidly anti-American and don’t like free competition or free-trade: its a protectionist trade block by definition.

    I’m amazed there are still Americans that wonder why we Brits choose to escape the EUs creeping authoritarianism...
    Watch CNN or MSNBC for 5 minutes and you’ll understand why...

    sflocal said:
    avon b7 said:
    I think it's Apple that doesn't understand at least part of the problem.

    And as things stand, nothing has been approved or formalised.

    The EU stance is clear. Apple shouldn't have any issue with it and it has zero to do with stifling innovation (and innovation cannot come before competition rules anyway).

    Apple has to offer something to reflect its own stance but this statement is very poor.

    If, the EU decides that Apple is restricting competition (and that's a big if) its options are clear and simple. 
    Funny that you think Apple doesn't "get it".  I think they do, and ignorance is on your side.

    For decades, the banking industry has gotten away with selling my user data, or better yet, having data breaches that placed my financial life at risk.  ApplePay resolves that.  F**k them.

    Banks don't like that Apple controls the final length to the customer.  The ONLY reason for this is so the banks can get out of using ApplePay and use their own version that denies me the ability to use ApplePay.  Oh, I want to use my iPhone with my Bank of America credit card?  They no longer work with with ApplePay.  You have to use their app, but... "consumer choice"!! That's their only reason.   They will deny me the ability to use ApplePay so they can continue harvesting my data.

     They are hiding their true agenda under the veil of "consumer choice" bullshit, and people like you just lap it up.  If you think your "choice" is threatened, go to Android and don't look back.  It's the wild-west so why you're expecting Apple to be like Android is beyond me.  We all enjoy Apple's locked-down approach.  They sell an all-in-one widget.  Competition is plenty from other players.  

    You keep spinning that "consumer choice" narrative.
    So much wrong.  Banks still get away with monetizing your data.  Not sure what gave you the impression they didn't.  Apple Pay doesn't resolve that in any way at all.  So, it's not really the F them you want it to be.  Apple doesn't control the final length to the customer. The banks still do.  If your bank has a data breach and your info is compromised, there's nothing Apple can do to mitigate your potential risk.  Again, not sure what gave you the impression they could.  If you lack this much knowledge about how your finances work, I worry for you a li'l bit.   

    Part of your problem is the binary way you present your position.  This isn't an either or proposition.  Afaik, the request for access to NFC has never been about replacing Apple Pay.  It's been about being able to offer options in addition to Apple Pay.  You wouldn't have to stop using Apple Pay.  If that's your process of choice, use it to your hearts content.  Hypothetically someone else may want to use their bank's processing because they get rewards or points or some other incentive.  In that scenario, you aren't affected at all.  Neither is anyone else.  Having a choice is not a bad thing.  
    Your first paragraph is excellent. Your second paragraph, while mostly right, has a small flaw, because it omits the vital fact that the NFC support is NOT provided by iOS but by code running on the Secure Enclave. Read this: https://support.apple.com/en-ca/guide/security/seccb53a35f0/1/web/1 This is a special piece of hardware outside of (and inaccessible to) the running OS that provides access to the NFC hardware. For all we know, there isn't even enough physical room on that chip for new code from every new bank that wants their own "Pay" system. Should Apple be required to add more space to that chip to allow every second bank in the world to add its own code to that chip's firmware? I don't think so. I must admit that I don't fully understand how this Secure Enclave works, so there's probably someone who can educate me here. But the real point I'm making is that the security of a device like the iPhone requires the involvement of hardware design and everyone in the world wants a free ride by adding their own code to Apple's Secure Enclave hardware. There's no way on earth that anyone should be allowed to force Apple to redesign their hardware so that their software can get a free ride. If I'm wrong, tell me why.
    Jeebus, Margaret, and Jesse.  Please, for the love of all things tech, stop, stop, stop, just no.  You're literally just making stuff up.  Silly stuff.  Every assumption you've made about NFC, the Secure Enclave, and this gem: "For all we know, there isn't even enough physical room on that chip for new code from every new bank that wants their own "Pay" system. "  I can't even.  Suffice it to say, that's not how any of this works.  I need a drink after reading that.
    If I'm wrong I want to know why. Unfortunately you contributed nothing because you gave no explanation at all. You said everything I said was wrong. How does that help? Say something useful or say nothing at all.
    There’s a lot of that around here.
    watto_cobra
  • Reply 29 of 35
    hriw-annon@xs4all.nl[email protected] Posts: 61unconfirmed, member
    crowley said:
    NFC is crusty old tech.
    Ars Technica had an article in 2013 complaining about years of NFC hype while nothing happened. 
    Banks just recently caught up with 2010 and started using NFC. Banks love crusty old tech.
    Apple never liked it, but if they want to play in mobile payments, which they do, they need to go with old tech the banks can handle.
    If Apple is forced to keep supporting NFC at the low levels banks want access to, they will be stuck with it longer and their options for moving forward will be restricted.
    That is what they mean by stifling innovation.

    What superior tech is there that fulfils the functions of NFC?
    Any other communication medium. Near Field Communication requires close proximity. There are not many applications where this is a pro and not a con.
    NFC only feels natural for payments because we are used going to a special machine or person to pay. It's like they used to stick a fake horse head onto the first automobiles, or how the first quartz wall clocks sometimes had pendulums. This felt natural and right to many people then. Standing in line to do a thing to pay is like that.
    Apple does not want to be held back by such luddites, and they would be if they were forced to support implementation details like NFC just because banks are slow with tech.

    We have been paying for stuff over the internet for years, financial transactions don't really require physical proximity. 

    Take a look at the ISO7816 standard. This monstrous abomination from the primeval ooze is what Apple would have to support if the banks had their way.
    edited September 2020 jdb8167watto_cobra
  • Reply 30 of 35
    avon b7avon b7 Posts: 6,169member
    crowley said:
    NFC is crusty old tech.
    Ars Technica had an article in 2013 complaining about years of NFC hype while nothing happened. 
    Banks just recently caught up with 2010 and started using NFC. Banks love crusty old tech.
    Apple never liked it, but if they want to play in mobile payments, which they do, they need to go with old tech the banks can handle.
    If Apple is forced to keep supporting NFC at the low levels banks want access to, they will be stuck with it longer and their options for moving forward will be restricted.
    That is what they mean by stifling innovation.

    What superior tech is there that fulfils the functions of NFC?
    Any other communication medium. Near Field Communication requires close proximity. There are not many applications where this is a pro and not a con.
    NFC only feels natural for payments because we are used going to a special machine or person to pay. It's like they used to stick a fake horse head onto the first automobiles, or how the first quartz wall clocks sometimes had pendulums. This felt natural and right to many people then. Standing in line to do a thing to pay is like that.
    Apple does not want to be held back by such luddites, and they would be if they were forced to support implementation details like NFC just because banks are slow with tech.

    We have been paying for stuff over the internet for years, financial transactions don't really require physical proximity. 

    Take a look at the ISO7816 standard. This monstrous abomination from the primeval ooze is what Apple would have to support if the banks had their way.
    Are you sure? 


  • Reply 31 of 35
    hriw-annon@xs4all.nl[email protected] Posts: 61unconfirmed, member
    avon b7 said:
    crowley said:
    NFC is crusty old tech.
    Ars Technica had an article in 2013 complaining about years of NFC hype while nothing happened. 
    Banks just recently caught up with 2010 and started using NFC. Banks love crusty old tech.
    Apple never liked it, but if they want to play in mobile payments, which they do, they need to go with old tech the banks can handle.
    If Apple is forced to keep supporting NFC at the low levels banks want access to, they will be stuck with it longer and their options for moving forward will be restricted.
    That is what they mean by stifling innovation.

    What superior tech is there that fulfils the functions of NFC?
    Any other communication medium. Near Field Communication requires close proximity. There are not many applications where this is a pro and not a con.
    NFC only feels natural for payments because we are used going to a special machine or person to pay. It's like they used to stick a fake horse head onto the first automobiles, or how the first quartz wall clocks sometimes had pendulums. This felt natural and right to many people then. Standing in line to do a thing to pay is like that.
    Apple does not want to be held back by such luddites, and they would be if they were forced to support implementation details like NFC just because banks are slow with tech.

    We have been paying for stuff over the internet for years, financial transactions don't really require physical proximity. 

    Take a look at the ISO7816 standard. This monstrous abomination from the primeval ooze is what Apple would have to support if the banks had their way.
    Are you sure? 


    Yup. I build software for that stuff, for access control systems. Built an Android app with NFC (just a proof of concept, a real Android programmer made the app clients use). It’s a mess. And yes, smart people can make it mostly work. It’s what engineers do.
    But NFC is not the future. It was a solution looking for a problem for a long time. It was going nowhere until the banks were ready for it, and then Apple had to play along.

    There is nothing in that video that UWB cannot do better.
    jdb8167watto_cobra
  • Reply 32 of 35
    avon b7 said:
    mcdave said:
    avon b7 said:
    I think it's Apple that doesn't understand at least part of the problem.

    And as things stand, nothing has been approved or formalised.

    The EU stance is clear. Apple shouldn't have any issue with it and it has zero to do with stifling innovation (and innovation cannot come before competition rules anyway).

    Apple has to offer something to reflect its own stance but this statement is very poor.

    If, the EU decides that Apple is restricting competition (and that's a big if) its options are clear and simple. 
    How can you “restrict competition” in a platform that was never opened up to it?  Apple’s claim is upheld as its innovations have demonstrably focussed on quality by restricting quantity of options.

    Competitive practices allege better quality/price but rarely deliver it, or any other user benefit, instead they send markets racing to the bottom in terms of both, resulting in a de facto confidence trick. Funny there’s little legal enforcement for that, almost as if choice buys impunity.
    But it did open up to it. That is the whole point of the investigation. The platform moved into the bank processing payment world. It also moved into processing app payment processing and delivery. The second you put a tentacle somewhere that involves exterior factors beyond your platform you run the risk of these kinds of investigations.

    Apple isn't providing Apple Pay for the customer. It's doing it for the money. Money that comes from banks that have nothing to do with the platform. 
    So it's either for the money or the customer?  Not both?  What a dense view of business and technology.
    watto_cobra
  • Reply 33 of 35
    avon b7avon b7 Posts: 6,169member
    avon b7 said:
    crowley said:
    NFC is crusty old tech.
    Ars Technica had an article in 2013 complaining about years of NFC hype while nothing happened. 
    Banks just recently caught up with 2010 and started using NFC. Banks love crusty old tech.
    Apple never liked it, but if they want to play in mobile payments, which they do, they need to go with old tech the banks can handle.
    If Apple is forced to keep supporting NFC at the low levels banks want access to, they will be stuck with it longer and their options for moving forward will be restricted.
    That is what they mean by stifling innovation.

    What superior tech is there that fulfils the functions of NFC?
    Any other communication medium. Near Field Communication requires close proximity. There are not many applications where this is a pro and not a con.
    NFC only feels natural for payments because we are used going to a special machine or person to pay. It's like they used to stick a fake horse head onto the first automobiles, or how the first quartz wall clocks sometimes had pendulums. This felt natural and right to many people then. Standing in line to do a thing to pay is like that.
    Apple does not want to be held back by such luddites, and they would be if they were forced to support implementation details like NFC just because banks are slow with tech.

    We have been paying for stuff over the internet for years, financial transactions don't really require physical proximity. 

    Take a look at the ISO7816 standard. This monstrous abomination from the primeval ooze is what Apple would have to support if the banks had their way.
    Are you sure? 


    Yup. I build software for that stuff, for access control systems. Built an Android app with NFC (just a proof of concept, a real Android programmer made the app clients use). It’s a mess. And yes, smart people can make it mostly work. It’s what engineers do.
    But NFC is not the future. It was a solution looking for a problem for a long time. It was going nowhere until the banks were ready for it, and then Apple had to play along.

    There is nothing in that video that UWB cannot do better.
    And as you will know, Huawei has been using UWB for a while now to track elements to centimetre precision - just not on phones. It has not been economically viable on phones up to now, even though that may be changing. 

    In fact, a lot of people don't realise that the MMW band on 5G has amazing potential for centimetre precision tracking and could prove economically viable too. 

    The whole point of NFC today (paired with the relevant security protections on modern SoCs) is the 'near' and in the 1+8+N world NFC still has legs. That's why Huawei uses it. 

    You should also know that banks and many other critical infrastructure semiconductor users steer well away from modern chipsets, the number one reason being their immaturity and not having a very mature development ecosystem to support them. It takes time to discover and correct hardware bugs.

    That doesn't mean they are not averse to using new architectures in terms of communications and data centres etc but you will rarely find them on the bleeding edge and for good reason. 

    Even with this precautionary approach, problems can occur. One classic example is the flaw in the EMV system discovered by Cambridge University. 
    edited September 2020 crowley
  • Reply 34 of 35
    Rayz2016 said:
    gc_uk said:
    Is this the same as Apple fighting against not including power adaptors when it’s not necessary?

    It would be obvious that Apple’s own code calls a defined API. Why is it such a big deal to open up the API to other vendors?

    Not sure what power adapters has to do with anything. This is a security issue, power adapters are a green issue.

    If you followed the story I was referencing, Apple accused the EU of stifling innovation because of the mandate for all manufacturers to use the same power standards and not include chargers where they weren't required.  Then Apple quietly started opting to leave out chargers.  Seems they are just complaining at everything the EU opens an investigation into.

    Rayz2016 said:
    What the EU, in their finite wisdom, is looking at is allowing direct access to the NFC hardware, so the banks can implement their own banking solutions and their own NFC security protocols. 


    Are you SURE that's what the EU are asking for?  At the moment they aren't asking for anything.  it's merely an investigation into whether there's anti-competitive behaviour.  If they mandate access then that also doesn't mean access to the hardware, just that all providers should have the same access to the API.

    Rayz2016 said:

    In my opinion, you'd be mad to use any banking system that went direct to the NFC without Apple's security mechanism.
    Great, you shouldn't use those banking systems then.  Why should you get a say over how everyone else does?
    avon b7gatorguy
  • Reply 35 of 35
    avon b7avon b7 Posts: 6,169member
    IIRC, one of the biggest changes OSX (Darwin) brought to the Mac was that nothing got to talk with the hardware directly.

    Seeing that Darwin also underpins iOS, are some people here claiming that third parties could somehow gain direct access to iPhone components if Apple were required to make the NFC available? Is that even possible?


Sign In or Register to comment.