WIth Apple’s domination of media mindshare almost total, the fact that you can already buy other handsets with NFC in them (eg, the Google Nexus S and the Nokia C7, although both are currently software-limited) and that the first Blackberry handsets are imminent has been overlooked. All press comment (I know, because I contributed to some of it) has been about the iPhone. One of the questions that I was asked, repeatedly, was about iTunes morphing into a new payment scheme.
“They have 160 million users with digital wallets in iTunes accounts. They don’t have to do anything other than to NFC-enable their phones,” Litan said.[From Analysts: Apple could disrupt mobile payment industry | BappProducts | iOS Central | Macworld]
They do have numbers on their side, that’s true. But as we all know, payments is a two-sided market, so there has to be a reason for the merchants to get on board too.
For merchants, an Apple payment system could prove attractive. Many merchants are raring for alternative payment systems, to avoid having to pay the hefty fees that credit card companies charge for every transaction.[From Analysts: Apple could disrupt mobile payment industry | BappProducts | iOS Central | Macworld]
Yes, but how will Apple avoid them? Everything I buy on iTunes goes to my MasterCard. Sure, Apple aggregates the payments, but the banks don’t provide this service for free, even for Steve Jobs. In order to avoid having to pay credit card fees, Apple would have to do what PayPal does and start persuading people to sign up with their bank account details, which would in turn mean building the kind of anti-fraud platform that PayPal have been building for a decade. And why would they do that? It seems like a lot of non-core investment to commit to.
This investment is needed because the biggest problem will be security. So long as my iTunes password only allows you to buy music tracks for my iPod or games for my iPad or note-taking applications for my Macintosh, to risk is manageable. But if my iTunes password allows you to walk out of a store with a pair of shoes or a telly, then my iTunes password will become valuable. Microseconds after extending iTunes payments to retail stores, Apple would be dealing with millions of customers calling up because their passwords had been phished, copied, guessed.
Japanese police have arrested two people suspected of stealing virtual goods from players of online game Lineage II. The pair tricked victims via a booby-trapped program that claimed to help people play the game. Instead of boosting a character’s abilities the program stole account names and passwords.[From BBC News – Lineage II pair arrested for stealing virtual goods]
I’m sure Apple are perfectly well aware of this kind of crime and know that were iTunes to become a general payment paltform, then it would become widespread. This is hardly wild projection, since the phishing of iTunes accounts is already widespread.
It least one group of scammers has found a way to charge thousands of dollars to iTunes accounts through PayPal. One targeted customer told us, “My account was charged over $4700. I called security at PayPal and was told a large number of iTunes store accounts were compromised.”[From Fraudsters Drain PayPal Accounts Through iTunes]
I’m sure Apple already has lots of people working on this problem but ultimately it’s very difficult to stop people from giving away their passwords and I’m sure the phishers will soon learn to send out the right kind of e-mail messages.
Roughly 50,000 Apple iTunes accounts stolen by hackers are said to be for sale on China’s largest auction site.[From 50,000 Stolen iTunes Accounts On China Auction Site — Apple iTunes — InformationWeek]
The underlying problem is, of course, that passwords are not security and no-one should be allowed to use the phrase “password security” in any serious context. So long as the cost of phishing, guessing or actually breaking passwords is fantastically less than the value of the account that they give access to, there is no solution.
Thomas Roth of Cologne, Germany told Reuters he used custom software running on Amazon’s Elastic Compute Cloud service to break into a WPA-PSK protected network in about 20 minutes. With refinements to his program, he said he could shave the time to about six minutes. With EC2 computers available for 28 cents per minute, the cost of the crack came to just $1.68.[From Researcher cracks Wi-Fi passwords with Amazon cloud • The Register]
Ah, you might say, but suppose Apple implements a Secure Element (SE) for NFC and that SE uses standard PKI applications on industry-standard Global Platform in an industry-standard JavaCard. Then a thief would have to steal the iPhone as well as the password, and this indeed true. Apple could implement an identity-based payment mechanism and persuade merchants to install the contactless terminals, implement the new scheme and pay Apple instead of paying the banks (whose fees have just been capped by the Durbin amendment.
Again, why bother. You may as well do a deal with a bank to put a contactless EMV application in the SE. But suppose you are not going to care about anything at retail POS — except in your own stores — but instead want to improve security and convenience for customers in general? Imagine this scenario a year from now: I log in to iTunes and it gives me the option of switching to two-factor authentication. (Apple wouldn’t call it that, they have better marketing people – suppose they call it Apple Passport or something like that, maybe iMe or whatever.) I accept. From then on, when I log in to iTunes on my iPhone, I don’t noticed anything different, but under the hood iTunes is sending a digitally-signed challenge to a digital signature application in the SE. It’s decoded using Apple’s public key, and signed using my public key (which, of course, Apple know) and sent back. Sorted. Now with this strong authentication, Apple can have higher-priced items for sale via iTunes. When I log in on my PC, a message pops up on my iPhone and I have to enter my passcode. Under the hood, the same process. Now you have to steal my passcode and my iPhone.
A little later, I’ll be given the option of making my OSX login “iMe only” and so on.
If anyone can bring PKI to the masses, Apple can. Soon, other companies will negotiate with Apple to join “iMe Connect” and because it is more secure than a password, they will pay to use it. There are payments applications for this (it means that mobile payments can be lifted beyond ringtones and music tracks, and at a lower margin than operators) but I don’t see them as being central to the business proposition, because people will be using their iPhone to log in to everything (internet banking, shopping, government) and then, because of the NFC interface, they will begin to use it to “log in” in Apple retail stores and then, soon, enough, other places. Meanwhile, credit cards and Bling, Amex and PIN debit will all be loaded into the SE anyway, so customers will find themselves using their iPhones to get on BART and pay in CVS. This will save the issuers money, because they don’t need to issue the plastic, so they can offer a good deal. Andrew Johnson was surely right to point this out in American Banker.
In the end, banks have a lot to gain by being willing to give pricing concessions to Apple in exchange for getting their payment card information directly located in Apple’s mobile wallet service. Doing so could give those banks a first-mover advantage.[From In Apple Mobile Pay Plans, a Possible Opening for Banks – American Banker Article]
Apple doing the identification and micropayments, leaving larger payments to the finance sector who will in turn pay Apple. Now we can see the real play, and a first-rate strategy for the next phase of online evolution: own identity and authentication. ITunes as a payment scheme to rival cards, PayPal, iDeal? No. iTunes as a payment scheme to get people used to logging into things with their iPhones? Plausible. iTunes as something that delivers a variety of customer communication and management option of real value to merchants (a cross between Barclaycard Freedom, Bling and Taggo)? Yes. Why? Because knowing who someone is is so much more valuable than a small slice of their payments, a fact that informed industry observers have pointed to since the Apple/NFC rumourmongering began.
the real revenue streams to Apple will not be from “interchange” but from advertising as iAD provides the “Yang” to the NFC’s “Ying”. Creating a new payment ecosystem means having incented partners. The timing on Apple’s iAD and NFC developments are not accidental, my belief is that they are part of a very solid mCommerce expansion strategy.[From Apple’s NEW NFC Patent « New Ventures in Financial Services]
Look, I don’t know what Apple’s strategy is any more than you do, but from the perspective of helping clients to formulate their own broad strategies for NFC, payments, value-added payment services and identity, this is a reasonable strawman, which is why we’ve been using it.
Apple may have over 160 million customers with digital wallets to tap into and grow their m-payments offering through partnerships with other retailers, but they still have to address the same security risks as other m-payments providers; be it if they opt to bypass the charges of credit card companies by going down the PayPal route or not.
Dave Birch picks a good straw man in Apple, to debate how m-payment security can be resolved, especially when considering the volume of fraudulent activity in the iTunes world already, whereby consumers just submit a name and password. Think what would happen if they were giving their bank details away as well?
M-payments provides the opportunity for all stakeholders to reduce operating costs, increase productivity and boost revenue, however lack of security and lack of confidence in the security system by the user, could place the uptake of this payment method at risk. Providers need to get it right first time.
It is essential that providers get the security levels for the exchanges of information correct, to reduce fraudulent activity and mitigate risk. Therefore providers need to consider their security strategy at three levels. Firstly, the devices being used to exchange the information need to be secure and have biometric authentication built into them. Secondly, the applications running on the device need to have sufficient levels of authentication and authorisation. Finally, the channel for the transmission of data needs to be secure.
The approach needs to be collaborative with expert partners holding fort at the right points of the value chain to ensure success. Otherwise, even the giants like Apple will fall foul of opportunity.
Comment from Hemant Lamba, Banking and Capital Markets Practice, Infosys, and posted by Infosys Press Team
Loved that story i also have been in that situation and your blog was very useful.
Make Money Online