[Dave Birch] A couple of interesting discussions about QR codes at Money 2020 earlier today. Well, I’ve been looking at some technology roadmaps around NFC and QR codes again in connection with a couple of projects we’re involved in and I think I’ve got at least an interim conclusion. While I have no inside information on the subject, I do expect a future iPhone (and, for that matter, iPad) to have NFC. NFC is a convenience technology, and Apple loves convenience. As, it seems, do customers.

In fact, in the tests that were held by Kraft, NFC experienced an engagement level that was twelve times greater than the results that were achieved by QR codes… However, at the same time, NFC did have its own drawbacks, which Kraft found to be rather significant for the moment. To start, most older phones do not have this technology and therefore cannot take advantage of its availability in a store or on a product, even if the consumer is interested. Moreover, the technology is also absent in all Apple products that have been released to date… This means that NFC automatically ignores the largest segment of the mcommerce marketplace.

[From QR codes and NFC tested by Kraft in mobile commerce trials]

In other words, NFC is great but not yet relevant. This, to be honest, seem like a pretty reasonable assessment of the current situation and contains both good and bad news. The bad news is that the money that the payments industry is spending on NFC will have a much longer payback time than had been hoped. The good news is that we (consumers) end up with something that is simple and quick and secure.

Osama Bedier, VP of Wallet & Payments… believes that [NFC is] a better technical solution than the QR codes that Apple uses on Passbook, calling them one of “many bridge technologies between now and what is a destination solution.” He pointed out that “you still have to futz” with QR codes.

[From Google still believes in NFC for mobile payments, doesn’t see ‘eye to eye’ with Verizon | The Verge]

As far as transactional applications go, though, I think it fair to observe that there will be developments beyond the initial conflation of NFC with payments at the EMV nexus. While not the topic of this post, a key message coming out of Money 2020 has been that the complex ecosystem assembled by handset manufacturers, SIM suppliers, TSM operators, the GSMA, bank issuers and schemes may well be bypassed in the longer run but in the short run is actively holding bad NFC evolution!

Incidentally, while we’re on the topic of NFC vs. QR again, I wanted to mention a related issue. There is a slight problem with the writing of a blog such as this one. The nature of Consult Hyperion’s work with clients around the world is such that we are, from time to time, privy to commercially confidential information. This is true for most companies, naturally. But it means that sometimes I write things on the blog that I know aren’t quite correct. Here’s an example. Earlier in the year I wrote about hypothetical attacks on NFC tags and QR codes because of the lack of identity infrastructure, saying that

It’s simply impossible to tell whether a QR code is “real” or not.

[From A quick response to the problem]

At the time I wrote this, I knew perfectly well that the attacks on both QR codes and NFC tags discussed in the piece were not hypothetical but had actually occurred. It would not have been appropriate to mention, at the that time, that I knew that attacks had occurred or who the victims were. So I’m glad to say that (although I won’t point at the victims) I have heard the attacks discussed at a couple of recent events so now I think it’s OK to at least talk about what the attacks were.

In both cases the same vulnerability was exploited: when a consumer uses a smartphone to either read a QR or an NFC tag, they have no idea whether what they are reading indeed comes from the poster, advertisement, magazine or whatever else they are looking at:

  • In the attack on a travel-related NFC poster, the attackers stuck their own NFC tags on the posters. Instead of pushing the number to call for more information about travel products, the number was for a reverse-charge premium-rate phone call to South America.
  • In the attack on bank advert with a QR code, the attackers had printed their own version of the QR code and stuck them over adverts in public places in London. Customers who scanned the code in order to get more information about a bank product instead got malware downloaded to their phone. At least 4,000 customers were fooled this way.

We already know what the solution to the NFC problem is, since a standard for digitally-signing the data content of an NFC tag has existed for a couple of years (although no-one seems to have implemented it) and we also know how to manage the keys and certificates that would be needed to make this all work in the mass market. For QR codes there is no such standard, although there are companies out there (e.g., Ensygnia) who have been developing proprietary solutions.

The real problem with this large number of QR code scans is that consumers have no way to detect the presence of malware in the code before it is too late.

[From Portals and Rails]

Quite. All in all, this proves a point that I’ve made many times in the past: connection is easy, disconnection is hard. In this case, I think that shifts the dynamic toward NFC. You could imagine a situation in which a powerful player like Apple, using Passbook, forces a scheme for digitally-signing QR codes and sets up a structure for key and certificate management, in which case the operators and banks will be kicking themselves for not setting up an industry-wide digital signature scheme and implementing the NFC standards for tag security. If customers and retailers could be sure that NFC tags 

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights