Wave of the Future? Smartphone NFC used to buy stuff ONLINE
Like pay-bonking but across great distances
Mastercard has started trials of online payments using the secure element in an NFC handset in France, and it looks like it could quickly become the standard way to buy stuff on the internet.
The trial involves 160 staff at ING Bank in Paris, who've been given Galaxy SIII handsets and a PayPass account to play with. When shopping online, via the web, they are offered the chance to authenticate using the phone. The phone then asks for a PIN and generates a cryptographic authentication, all of which takes place over the cellular network rather than the public internet as NFC Times reports.
The process sounds more complicated than it is, and needs to be compared to the existing system of sending credit card details over the internet. Today's systems not only expose the credit card numbers to malware running on the PC, but they also (generally) result in those details being shared with the retailer - so one's security becomes dependent on the security of that retailer and its staff.
Such transactions are known as "card not present" and the credit card companies charge a rate which reflects their propensity to fraud. The critical question now is if handset-secured payments will incur the lower "card present" charge, which would certainly result in very rapid adoption by retailers.
NFC Times asked the question, but no decision has yet been made. Mastercard and IMG are apparently still deciding if the technique is a goer before working out how much to charge for it.
Good security comes from paired tokens - generally one provided from your side and another recognisable one from a source you know and trust - with possession of only one being insufficient. Using a credit card on the internet proves almost nothing, while the passwords introduced by Verified By Visa and similar schemes introduce "something you know" they still lack the critical physical component.
Barclays PINSentry is a good example of how far banks will go to complete the pair: the physical card-reader posted out to every customer is now used to prove possession of the card (not just the numbers on the card) and knowledge of the PIN, increasing security enormously.
The secure element in an NFC phone can fulfil the same role, and one can easily imagine Verified By Visa being replaced with such a system, and proving very popular if the lower rates were charged. It might not be as sexy as paying for a frappuccino with a bonk of the phone, but if it can reduce internet fraud, then it could prove equally revolutionary. ®
What part of this actually uses the NFC/rfid/wave-your-phone-like-you-just-don't-care part? You know the bit I mean, Bill, it's your favourite. Why does this need that "secure element" that NFC introduces as opposed, to, say, the SIM, which was intended to do much the same thing for phone network authentication?
Leaving aside for the moment that most of the phone network's perceived security stems from its obscurity, and that if you start to seriously poke at it it's less secure than the internet was in 1993. Also leaving aside that the problem with paying with CCs over the internet is mostly with the CCs, not with the internet as a transport. Leaving thus aside that this is yet another bit of technology thrown at a problem the bankers doing the throwing are evidently misunderstanding... again.
Do tell. How does this make NFC less of a solution looking for a problem to solve? Is it the free handsets?
Not only is NFC "pay by bonk" a solution looking for a problem
It will never see widespread use in phones because there are too many people interested in making sure that they take a piece of the transaction (plus the payee's desire to get rewards as is often the case with credit/debit purchases today)
1) the phone OEM
2) the maker of the phone's software when different from hardware (i.e. Google for Android, Microsoft for WP)
3) the carrier
4) the payment processor
5) the account holder's bank
Phone OEMs want a solution dependent on the hardware in the phone so they collect the fee, the maker of the phone's software wants it as part of the OS so they collect the fee, the payment process and bank want things just the way they are today and won't willingly give up anything to the phone OEM/OS vendor/carrier unless things start looking like they'll get cut out of it entirely.
The carriers in particular used to view this as a huge future revenue stream, seeing it much like how people billed ringtones and the few apps that primitive smartphones used to have to their phone bill, except now they'd have thousands of dollars a month passing through them each month. Not only could they take a cut, they'd gain access to all that valuable market intel.
They're probably really pissed a few of them made a deal with Steve Jobs and let the phone OEMs eventually take back the ironclad control carriers used to have over all the phones on their network, so now that future revenue stream has vanished in a puff of smoke. But they're going to fight like hell to prevent someone else from taking what they viewed as "their" future. Even the biggest Apple haters ought to thank them for that, because say what you will about Steve Jobs, he was good as getting companies to do things that were against their long term interest for short term gain (i.e. breaking the "album" concept and selling almost all music as singles today)
The biggest problem is giving consumers a reason to want to pay via NFC, beyond "hey look what my phone can do". Unless they bribe them with bigger rewards than they can otherwise get, without alienating shop owners by demanding higher interchange fees, I don't see why this will ever be anything but a niche market for geeks who care more about technology than practicality.
Re: Please explain
My guess is that NFC "secure element" is at least partially under the control of the bank or MasterCard. Problem with paying with CC over the Internet is transmission of "means of payment data" instead of "transaction authorization data". The application of secure element on client side is meant to provide authorization of payment, much the same way as typing PIN at POS. Which of course may leak your data too, but is still more secure than handing your CC to waiter who walks away with it "for a second" (which is what happens when you fill CC details on seller's website).