Payment card issuance errors leave you vulnerable to fraud

Major payment cards

As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.

Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.

Will America bypass chip and PIN? One of the things I’m going to Money2020 to find out

Another article, this time in American Banker, questioning the rather odd trajectory of EMV in the USA. You’ll recall, I’m sure, that a number of international observers expressed surprise when (some time back) the banks over there decided to roll out chip and signature rather than chip and PIN or, indeed, chip and anything else (fingerprints, body odour or voice recognition). No-one seems to know why.

One reason banks offer for this choice is the presumed difficulty of remembering another PIN. Are we to think that Americans are not quite as capable as the British, Dutch or Canadians — all of whom managed to figure out a way to make the more secure Chip and PIN work?

[From A Chip Without a PIN Is Asking for Fraud | Bank Think]

Is that really it? That American card issuers think that Americans are too stupid to remember a four digit PIN? The seems somewhat patronising to me. I wonder what the American government thinks about it? The FBI thinks that Americans can use a PIN. Or at least they did, before their CVM recommendation was mysteriously taken down.

The alert, which was removed from the FBI’s Internet Crime Complaint Center site on Oct. 9, noted: “When using the EMV card at a POS terminal, consumers should use the PIN, instead of a signature, to verify the transaction. This fully utilizes the security features built within the EMV card”… That recommendation left many of us scratching our heads because the vast majority of U.S. banks and credit unions have opted to roll out EMV as a chip-and-signature, not chip-and-PIN, transaction.

[From FBI Quickly Pulls Alert About EMV – BankInfoSecurity]

So. Checkpoint. What do we know. Well, we know that PIN is far more secure than signature (I remember being told by Walmart that fraud on PIN debit cards was 250 times less than fraud on signature debit cards). The US banks are going to the expense of issuing chip cards that will defend only against the particular fraud of card counterfeiting — although to be fair according to the Nilson report, counterfeit card fraud losses to US issuers were something like a quarter of total world card fraud losses last year. But why not defend against other kinds of fraud (e.g., lost and stolen cards) by adding the PIN? Old chum David Poole says that the US is “stark raving mad” not to adopt PIN, on the basis of the latest fraud figures.

I was fascinated to read the latest fraud figures as reported in The Nilson Report this week. Worldwide card fraud is up 15% to $16b in 2014. Read that again – $16b that could potentially solve some austerity problems not to mention some poverty. I dare say many organisations would love to be reporting >15% top line revenue growth.

[From None as blind as those that can’t see. If you can’t see it, smell the “coffee”… | David Poole | LinkedIn]

Let’s just put those figures in context. One of my favourite statistics last year, one that I often dropped into presentations, was that the US is a quarter of the world’s card volume but half of the world’s card fraud. Well, I’m afraid that statistic in no longer valid. On the basis of the latest figures, the US is now a fifth of the world’s card volume and half of the world’s card fraud. And remember, this the cost to issuers. It does not take into account the costs to merchants or the police.

The USA accounted for 48% of these losses. But a very important detail should not be omitted; this figure is over only 21% of the purchase volume. While this globally represents 5.65 cents in every $100 spent, the USA has more than doubled that at 12.75c per $100, and over the last five years the figure has increased each year.

[From None as blind as those that can’t see. If you can’t see it, smell the “coffee”… | David Poole | LinkedIn]

The US has a problem. Yet, to be frank, if you were inventing EMV today, in a world of smartphones and online and biometrics, then you almost certainly wouldn’t come up with chip and PIN. You’d probably use a combination of convenient authentication and back-office analysis. It would not be surprising to me if the US banks have thought about this and have no intention of going to chip and PIN for their domestic market because chip solves their biggest card present fraud category (counterfeit, which is about half of their losses in the US) and tokenisation is a better solution to the card not present fraud category (and pretty much everything else). The evidence for this is that they’ve gone to chip, but rather than spend hundreds of millions on upgrading ATM networks for PIN management, waiting for merchants to add PINpads and educating customers about looking after their PINs, they’ve instead spent the money on tokenisation infrastructure, assuming that the growth of mobile, especially in-app, will be a more effective means to tackle overall fraud.

So, what does this mean? Well, that’s what I’m hoping to find out at Money2020 in Las Vegas next week, where I am chairing the session on authentication. For most of our clients, where to invest next is a crucial strategic question. Do they assume that US consumers and merchants will get fed up with “chip and wait” pretty quickly and so develop an appetite for contactless that they lack in a “swipe and go” world? Do they assume that none of this matters because in-store, online and mobile will all converge on in-app solutions? Do they assume that clever use of tokenisation platforms will deliver new services over and above fraud reduction? Well, it’s probably all three, but I will be fascinated to discover the sentiment in the corridors of the Venetian and will, of course, report back.

Thinking the unthinkable about EMV in the USA

The main reason for the switch to “chip and PIN” is, as we all know, to protect against fraud. But it only protects against one kind of card fraud and then it only protects completely if we do not allow magnetic stripes.

But the switch to EMV doesn’t necessarily protect against credit card numbers being stolen, Forrester says. And tokenization, a process that replaces sensitive cardholder information with a unique series of numbers use to identify customers, hasn’t been widely adopted in the U.S.

[From Chip-and-PIN Security for Payment Cards Won’t Happen Until 2020: Forrester – The CIO Report – WSJ]

Here, I think, I might differ with Forrester. Yes, it is true that tokenisation has only been adopted for Apple Pay, Android Pay and (presumably) Samsung Pay. But the investments in tokenisation mean that it will spread and, what’s more, I firmly predict that mobile will displace other transactions at point of sale (POS) thus bringing tokenisation to the high street. But their main point holds. The dynamic of the fraud changes around chip and PIN introduction are well-known and the overall shape of the fraud curves will undoubtedly be the same in America since, as far as I know, there are no plans to take stripes off of the cards or to start taking stripe readers out of stores.

It will reduce “card present” (CP) face-to-face and automatic vending fraud, but it will increase pressure on “card not present” (CNP) fraud.

[From Search Results CNP EMV]

Our experiences in the UK are that not only does CNP fraud increase as the bad guys chase the easy money but that, in time, the fraudsters become more imaginative about attacking chip and PIN as well, adopting a variety of strategies to obtain PINs.

As had been hoped, chip & PIN has reduced card fraud at POS. As had been expected, some of this fraud has been displaced into Card-Not-Present (CNP) channels to the extent that CNP now accounts for half of all fraud. Fraud on UK cards overseas has increased because the stripes are counterfeited and the PINs are then used to withdraw cash at foreign (non-chip & PIN) ATMs.

[From Card fraud in the UK]

I wrote this back in 2007, when it was already clear that EMV was displacing fraud in this way. Then, back in 2013, I couldn’t help but look at the issue again in the context of the drive toward smart phone solutions.

Should the US use chip and PIN online? A few years ago, I thought this would be a good idea (in fact, I worked on a strategy for a US issuer looking at this around five years ago), but the window has been closing. In fact, as technology has moved on, I’d say it’s clear that this will now never happen. We’re not going to add smart card readers to our laptops or mobile phones and we’re not going to use chip and PIN cards in them to transact online. We going to use the smart phone instead.

[From Search Results CNP EMV]

Now, of course, we can all see that this is correct. Visa, Mastercard, Amex and Discover have delivered tokenisation into the marketplace and so instead of using EMV online we’re going to be using tokenisation. But there are people out there who are asking whether we really need to use EMV cards at all? As I mentioned above, why not use mobile phones and tokenisation everywhere? Why bother putting in the chip card readers or the contactless readers in store, why not just go in-app for everything and give the customer the same payment experience in store, on line, on the phone and any other channels.

Speaking the CNP Expo [2013] in Orlando, Lee Jurgens from Ralph Lauren… said that the US should have skipped chip & PIN and gone straight to mobile because it is the more secure payment mechanism. He’s got a point, and there’s no point the industry pretending that he hasn’t.

[From Maybe it’s time for son of EMV]

Now, I can’t pretend to be unsympathetic to this perspective, having long maintained (based on the results of a number of different risk analysis projects carried out by my colleagues at Consult Hyperion) that mobile will be safer than cards, even after the shift to chip cards. Back in 2009, I said that:

Incidentally, while mobile is certainly underutilised in the fight against fraud, a situation that is beginning to be addressed, tacking mobile on to the end of “traditional” payments is a stopgap.

[From Window pain]

In other words, using mobile just for authentication doesn’t deliver all of the benefits, we need to use mobile to replace the card itself. For this reason, I was unsurprised to read Visa Inc’s Vice President of Risk Products, Stephanie Ericksen, recently quoted talking about PIN and saying:

“we don’t see a need for it; [chip and PIN] will have a shorter shelf life. We’re moving to new technologies and innovation.”

[From US EMV migration: Chip and signature is a joke! – Payments Cards & Mobile]

I am sure that what she means by “new technologies” is, for the foreseeable future at least, mobile phones, strong authentication and tokenisation. It seems to be that because of the additional fraud prevention and detection possibilities afforded by the mobile phone, this might not just be an alternative to chip and PIN but a replacement for it, delivering better value to all of the stakeholders. And the payment schemes could certainly pass on the fraud and other savings in the form of incentives to merchants. The “card present” / “card not present” world will be replaced by the “cardholder is present” and “cardholder was present” world.

I expect to see a new V/MA rate tier for use of tokens in mobile. “Cardholder present” that will mean liability shift to bank and a rate reduction of around 10-25bps (in the US).

[From Payments – June 2015 Current State/Updates – Starpoint Blog – Finventures]

So just as the US is finally thinking about starting mass market EMV issuing, after equivocating for so many years, and if EMV really does have a “shorter shelf life”, is it time to start thinking the unthinkable and asking whether they should bother?

Yep, people are interested in NFC again

Dgwb blog white border

As we head back to Barcelona for Mobile World Congress again, there’s more talk about NFC and this time it’s not only coming from the operators.

In her state of the industry address at the GSMA NFC & Mobile Money Summit last fall in New York, GSMA Director General Anne Bouverot said that NFC is gaining traction globally, and it is certainly true the the number of handsets sold with NFC capabilities is steadily rising, even if most consumers neither know nor care that they have NFC. But it’s not just in phones: NFC is springing up in TVs, printers, cameras and all sorts of other consumer electronics. In our corner of the transaction treehouse, however, NFC means making contactless payments in retail environments. This hasn’t been going so well. As I said at the time, consumers can’t use NFC to ride the bus, which was my throwaway and prosaic benchmark of mass-market acceptability. But they might soon.

Madrid-based non-public bus operator Jiménez constellation is to introduce a brand new cloud-based NFC ticketing resolution that allows Nexus five NFC phones to be used as contactless ticketing readers at a “fraction of the value of ancient contactless reader infrastructures”. Ticktrack, developed by Spanish startup Aditium, uses host card emulation (HCE)…

[From Spanish bus drivers to check tickets using NFC host card emulation – NFC Business Cards]

Interesting. Something has changed. There were handsets out there. There were announcements all the time about pilots, trials and even live services. But somehow the technology was (and is, to be honest) struggling to gain traction, and every time that Apple announce a new phone without NFC there are a plethora of articles about the death of NFC. If you do have a handset with NFC in it, let’s say one of the super new Samsung S4s, you can’t use it for much interesting. I can’t log in to my bank and load my credit card onto it, for example. All I can do with the NFC on my Android phone is use it as a slightly more convenient version of a QR code. Except in Canada, where I could download my Tim Horton app and buy coffee with a tap.

Something has definitely changed. What? Well, here’s a framing of problem that I often hear. The GSMA (and others) opted for an architecture that put the mobile operators in control. And there’s nothing wrong with that. The GSMA is the mobile operators. But — and let’s be frank, to move the sector forward — the banks and operators have found it difficult to work together. I don’t want to cause trouble, especially since Consult Hyperion advises both banks and operators, but I think we have to be honest and open up the discussions that everyone knows are going on behind closed doors.

These MNOs operate a TSM service and establish the trust. Technically perfect, but this is also the problem that get things stuck. It has no technical issues, it is political. The banks just do not want the MNOs in their food chain.

[From EMV compliant NFC transaction from a mobile phone | The Abrantix Blog]

Maybe. And there is certainly evidence from the marketplace that banks will go to some lengths in order to avoid having to deal with the MNOs. This is despite countless attempts to work together. Personally, I suspect that some of this is down to the sheer hassle of it as much as it is to deep-seated strategic aversion to the Single-Wire Protocol (SWP), but it is nonetheless an observable phenomenon.

Bank of China (Hong Kong) is to introduce a microSD card based NFC payments service before the end of the year… BOC e-Wallet will initially be available for the Samsung Galaxy S4 LTE, Galaxy S III LTE, Galaxy Note II LTE, Galaxy S4, Galaxy Note II, Galaxy S III and LG Optimus G Pro smartphones.

[From Bank of China launches NFC payments in Hong Kong • NFC World]

Phones such as the S4, as noted, already have NFC. So, you might wonder, why bother putting a microSD NFC card into a phone that already has it if not to go around the MNO? This is the nub of the problem. In the complicated (but, let’s be clear, very secure) SIM-based SE model, the MNO calls the shots. And that has turned out to be a significant barrier to progress. It’s not impermeable: in some places (Canada and Australia spring to mind) where there are highly concentrated industries (ie, a small number of big banks and a couple of dominant MNOs) and a determination to work together despite thin margins there are now multiple handsets and multiple banks with functioning implementations in the market.

So what has changed? Why are the Canadian coffee chain and the Spanish bus company investing in NFC ? Well, the most interesting case study from Mobile World Congress last year was, as I have said before, BankInter in Spain. They launched what we called at the time a “NOSE” (NO Secure Element) payment service that uses tokenization to shift the risk analysis balance away from SE levels of security. The reason why this was such an interesting case study was that Bank Inter own an MNO. When you own an MNO, and still find it too much hassle to launch a SIM-based NFC payment service, that has to tell you something about the chosen model. Last year I called it an earthquake, and I stand by that.

Technically, what they did was to use a version of Android that had Host Card Emulation (HCE). At high level, this means that handset can pretend to be a payment card rather than having to have the SIM involved. When last year Google announced that HCE would become part of Android and that there would be no need to patch any more, a lot of people suddenly regained interested in the technology. The responses to this technology change have been very interesting indeed, as they seem to indicate considerable latent demand for a technology that we were being told was finished.

“With the entry of HCE we are free”

[From Spanish bus drivers to check tickets using NFC host card emulation • NFC World]

It wasn’t the technology that was the problem, it was the business model. Having previously criticised the SIM-centric model (with genuine integrity and, I think experience has shown, real cause), I stand in testament to the GSMA’s commitment to explore different views on this important topic and I am delighted to be able confirm that I will be giving part of the breakfast briefing on “HCE: NFC Threat or Opportunity” at the Mobile World Congress in Barcleona on Wednesday 26th February at 8.30am. I am genuinely looking forward to this as I personally think that there is an opportunity for mobile operators to use HCE to revitalise NFC in the mass market and, along with BLE, find new and more flexible business models that will make sense to financial services and other sectors. I expect to learn a lot from my fellow panelists and I look forward to seeing you all there.

Wireless Sunday

Off to the Barclaycard Wireless Festival for the day. I don’t really understand why its still called that. In the old days, when it was sponsored by O2, then calling it the wireless festival sort of made sense. But now it’s sponsored by Barclaycard, they should probably call it the Contactless Festival instead. Anyhow it featured a great many very popular bands, as evidenced by the enormous crowd trying to get in.

IMG_0406

I know it looks chaotic but in the end it only took about 25 minutes to get in. Contactless was much in evidence. Barclaycard had kitted all of the bars out with contactless terminals and were kind enough to give me one of the promotional lanyards containing a contactless card (a Visa gift card preloaded with £20) to go and try out. Which, naturally, I did. And, I have to say, it worked perfectly. As testimony, allow me to present the first beer I bought with it!

Dave at Wireless 2011

Being me, I couldn’t leave it at that though, and I started to try out some other contactless paraphernalia about my person. An obvious experiment was to try my Barclaycard phone, and that worked too, but oddly it went online, which rather slowed the transaction down. I don’t understand why it did this, so I’ll ask the chaps when I’m next in the office.

More interestingly, I asked a couple of the bar staff what they thought about contactless and they had both positive and negative observations that I promised myself to report in a spirit of openness and balance…

Positive. It’s quick, and you don’t have to hand the terminal to the customer for them to enter a PIN. And they thought my phone was really cool. They also said that some customers had been paying with their own contactless cards and not just the promotional lanyards.

Negative. There were two big issues that came up in both conversations with bar staff. One was the spending limit, which the bar staff said was too low at £12 (the limit was actually £15, but the all of the drinks cost £4, so you could buy three drinks at £12 but not the advertised four beers in a drinks carrier, because that costs £16). Surely it would have made sense to have subbed the bars so that four beers plus carrier was a £15 special.

Enough of these scientific experiments (most of which I drank), and off to see some of the popular beat combos on show. Here’s 47 second taster so that you can get the idea if you’ve never been to one of these events before.

I was reflecting on the security issue later on, because it really seemed a block. I took the time to explain to one of the women at the bar that there was no risk to her as a customer, because the UK banks’ were unequivocal about unauthorised use: if someone uses your card without your permission, they will refund the transaction. Yet she was unconvinced and was clearly uncomfortable about the idea of “no CVM” purchase. This has been true since the earliest days. As I highlighted four years ago:

Among those that are not yet ready to use contactless, security appear to be the dominant consideration. Which means, of course, that whatever we might think about actual security situation we must get better at communicating it.

[From Digital Money: Contactless update]

As I don’t know anything about customer communications and public information, I genuinely don’t know how to cross this chasm, but I wonder if it’s yet more evidence that we should be moving more quickly to contactless phones. The simple PIN code that I need to open up the mobile wallet on my Barclaycard MasterCard phone (the Samsung Tocco that I wrote about before) might well provide the reassurance that people want, even though it doesn’t really make much difference to the overall risk (phones are inherently safer than cards because people notice when they go missing anyway).

Overall, the weekend’s experiences did leave me with three firm conclusions:

1. Both the public and the merchants liked contactless. In this kind of environment – crowded, quick service – the technology performs very well. These were similar to the results seen elsewhere: the punters like contactless payments.

Festival-goers quizzed on the experience, said they were quicker (96%) and easier to use (98%) than credit or debit cards, while a resounding 100% said they’d want to use the PayPass prepaid wristbands again to pay at other festivals, concerts and sporting events.

[From Finextra: Contactless wristbands join wellies and camping gear as festival essentials]

2. We should accelerate the development of contactless phones, because they help with the security issue.

3. The Horrors are a good band, but not my cup of tea.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Yet more about NFC and business models

Eric Schmidt’s very bullish comments about near-field communication (NFC) technology in the US retail market have got people talking about business models again.

Eric Schmidt, Google’s executive chairman, believes that a third of check-out terminals in retail stores and restaurants will be upgraded to allow wireless “tap and pay” from mobile phones within the next year.

[From Google’s Schmidt predicts widespread “tap and pay” within a year | FT Tech Hub | FTtechhub – Industry analysis – FT.com]

These follow a series of statements by Google executives that, whether they are true or not, seem to have legitimised the technology in the eyes of a broad range of businesses.

She added that there is a ton of activity around NFC in international markets, giving the example of a successful trial of the technology that Starbucks ran in London.

[From Google Commerce Chief: We’re Making A Huge Bet On NFC As A Company]

I’ve never heard of this Starbucks NFC trial, so if anyone can point me in the right direction I’d really like to read up on it. But that’s beside the point. The point is that lots of people are now taking NFC seriously in the retail space and the mobile operators are developing NFC strategies. But what business model will there be for them? And what options do they have?

The question will then be how operators manage to regain relevance for their role in NFC transactions (which will come later, if at all), when the first trillion NFC interactions will have bypassed them.

[From Dean Bubley’s Disruptive Wireless: What will be the business model for free NFC-based interactions?]

You can see the problem that he is alluding to, but it may not be immediately obvious why it is such a problem specifically for operators. Look at the issue from a slightly different perspective, one that stems from security. I would argue that there are two different classes of application for NFC in mobile phones. These are, broadly speaking, “open” applications and “closed” applications. They are, broadly speaking, about interaction in the case of open applications and transaction in the case of closed applications. Creating such applications is, broadly speaking, easy to create in the case of open applications and difficult in the case of closed applications.

Why? Well, it’s because the closed applications need security and the open applications don’t. Open applications are things like games and business cards and “friending”, where consumers touch phones to something (which may be another phone) in order to get or exchange some information. These are what Dean means by “interactions”. Closed applications are things like payments and tickets, where real money is involved (other than the service providers own) and the applications must be what security professionals refer to as “tamper resistant”. They must also work, all the time and every time. These are what Dean means by “transactions”.

Working out how to do implement secure electronic transactions is (I’m happy to say, since it’s a big part of Consult Hyperion‘s business) difficult, complicated and interesting. It’s easy to picture how life might be with your credit card inside your mobile phone, but think what has to happen to realise that picture! How will the security keys necessary for the card application be transported across potentially insecure networks into the tamper-resistant chips (the “secure elements”, SEs) in handsets? How does the bank know that your credit card is going in to your phone and not a fraudsters? When you get a new phone, how does your card make its way from your old phone to the new one? How does the wallet application in the phone communicate with the card application in the secure element?

In the architecture developed by the transaction incumbents (by which I mean banks and telcos), the management of the closed applications is undertaken by something called a “trusted services manager”, or “TSM”, an entity that stis between the providers of closed services, such as banks and transit operators, and the mobile operators who connect to the SEs that they, in effect, own and rent out space on. This model may be disrupted, because it was founded on the assumption that the SE would be under the control of the MNO and that the TSM would have to cut a deal with the MNO to rent the SE space (what you’ll often here telco people refer to as the “apartment model”).

In the Google play, the TSM is operated by First Data and the SE is operated by Google (it’s in the Nexus handset, not on the SIM). The operator has no control over the SE and can extract no “rent” for its use. I notice that in the Nilson report (#972, page 7) it says that the Nexus S is the only smartphone in the US market with an SE not controlled by the mobile operators: it might have said that it’s the only smartphone in the US with an SE, full stop. The operators (in the form of Isis) are not yet in the marketplace. Why are Google being so active then? Well, on the Catalyst Code I read a while back.

Google has obviously made a decision that NFC is an opening into something more interesting and lucrative than transforming a phone into a payment card– advertising and marketing opportunities at the point of sale – the physical point of sale. And, it has done a deal with VeriFone that takes the economic sting away from the merchants who need to buy into their vision to make it work – and who have by and large turned their noses up at NFC up to this point. Layer on top of that their Google Checkout asset and their newly launched One-Pass wallet application and you have the makings of an interesting new payments player.

[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

Karen is, as usual, spot on about this. But I’m not so sure about this…

What’s amazing is that Google was the first to connect all of these dots

[From Google Takes on NFC, Will They Crack the Code? at The Catalyst Code]

This doesn’t seem amazing to me, because I’ve been involved in numerous attempts to develop mobile proximity propositions involving banks and operators and from these experiences have developed (I think) a reasonably accurate map. A month before the Google announcement, I wrote on Quora that “I’m sure [loyalty and rewards] will be Google’s strategy too. Payments are not an interesting enough application to persuade people to go out an get an NFC phone.”

So how come banks and operators didn’t connect the dots, then? Banks and operators have smart people in them, and some of them have smart consultants too. But it is very difficult to make institutional strategies for non-core businesses and have them translated into a practical tactics with appropriate priorities. If you were in a European mobile operator back in 2009 and you had an idea for using NFC to create a new business, where did you go with the idea? I went in to an Orange retail outlet: they are the first operator in the UK to sell a commercial NFC handset with an onboard payment application: not only did the shop not accept NFC payments but they didn’t sell any NFC tchotchkes, such as blank NFC tags. If you’re a smart kid and you get one of these phones, and you have an idea for using tags as tickets for a gig you and your mates are running… well, hard luck. This is problematic, because we need lots of people to be experimenting, developing and playing with the new interface to create the new, open applications.

In April, Nokia’s vice president for industry collaborations, Mark Selby, speaking at the WIMA NFC conference in Monaco, contended that NFC applications not securely stored on SIM cards, embedded chips or other secure elements will account for two-thirds of the revenue that NFC technology will generate through 2013.

[From Nokia Introduces Its Second NFC-enabled Smartphone | NFC Times New – Near Field Communication and all contactless technology.]

I hope Mark won’t mind me mentioning that we discussed this over dinner a couple of weeks ago and, while I agreed with him about the market, I bored him at length with my moaning about the slow development of the ecosystem. Where are the Nokia NFC tags for kids to buy? Where are the NFC USB sticks to connect laptops and phones?

But, looking forward, there’s another issue here. This classification of open/interactive vs. closed/transactional NFC uses is too simplistic, because as the technology spreads in the mainstream, interactions will need to be secure too. When I tap my phone against an advert at the bus stop, I want to find out more about “Kung-Fu Panda 2” and not get directed to a porn site, a reverse-charge premium rate phone call to Honduras or send a text message to someone who wants to sell my mobile number to commercial organisations. I want my phone to check the digital signature on the tag and make sure that it is valid, and that it is signed by an organisation recognised by UK phone operators, or banks, or the government, or whoever. But signing the tags (which is part of the NFC standards, but no-one uses at the moment) means that someone has to distribute keys, and certificates and all that stuff. None of this exists right now, but in the future it will have to.

So… Not only is there no ecosystem for transactions, there’s no ecosystem for interactions either. Now you can see why the mobile operators are going to have to work so hard to stay in the NFC loop. A couple of years ago they could have started to roll out the handsets for open, interactive purposes and started many communities off on experimenting with the new technology while they developed the necessary infrastructure for both secure transactions and secure interactions, but they didn’t because they couldn’t see a business case. What’s the business case for selling public key certificates so that advertisers can digitally sign tags using their internally-generated private keys?

It’s hard to work out a conventional business case around a business that simply doesn’t exist yet, and I understand that. But I think that even three or four years ago, the consumer response to the early pilots and trials was so positive that it was clear that the technology would make the mainstream. Now that Google’s activities have served, in an odd way, to legitimise both NFC technology and the business models around it, maybe the operators should adopt a more Google-like approach to business model: start building way more cool stuff, monetise what works and then be ruthless in killing off what doesn’t.

My employer, Consult Hyperion, has provided paid professional services to some of the organisations named here in connection with products and services discussed here, but the opinions in this post are my own (I think) and presented solely in my capacity as an interested member of the general public


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.