[LINK] itNews: 'Westpac trials contactless mobile payments'

Roger Clarke Roger.Clarke at xamax.com.au
Tue Aug 7 09:53:51 AEST 2012 

At 9:33 +1000 7/8/12, Stephen Wilson wrote:
>If this application is using the tamper resistant "Secure Element" in
>the phone and if the software is carefully written, then this class of
>contactless payments is actually very secure.

Secure against which categories of threat?

Transaction replay is only one of a great many threats.


Transactions that the individual wasn't aware of, even though they 
had possession of the device at the time?

Transactions initiated by malware in the device?

Transactions in an amount different from what the individual thought 
they were paying?

Processing of credits where the amount is recognised just after 
processing to have been wrong?

Transactions conducted by a person in possession of the device, but 
not authorised to conduct transactions?

___________________________________________________________________


>  ...  The Secure Element is an
>isolated crypto-processor with protected memory and other functions,
>similar to a SIM (and I note one of the individuals, or the writer, may
>have mixed up SIM and SE in their account below).  The Secure Element
>(SE) can be used to digitally sign each transaction initiated by aa
>phone, using a private key that never leaves the SE chip, making the
>transaction non-replayable, in the same way that make Chip and PIN cards
>resistant to skimming and carding.
>
>Certainly it's a helluva lot more secure than the recently announced
>"development" with Google wallet where they are moving to hold all of a
>customer's credit card numbers in the cloud.  When Google gives is
>wallet away for free, and then moves to channel all your transactions
>through its servers, I hope customers start to ponder what's in it for
>the infomopoly?  I heard it said that in the modern cybereconomy,
>information about how people spend money is more valuable than the money.
>
>See news report: http://finextra.com/News/Fullstory.aspx?newsitemid=23947
>And more analysis by yours truly
>http://finextra.com/community/FullBlog.aspx?blogid=6819
>
>Cheers,
>
>Stephen Wilson
>Lockstep
>http://lockstep.com.au/blog/payments
>
>Lockstep Consulting provides independent specialist advice and analysis
>on digital identity and privacy.  Lockstep Technologies develops unique
>new smart ID solutions that enhance privacy and prevent identity theft.
>
>
>
>
>On 7/08/2012 8:45 AM, Roger Clarke wrote:
>>  [Another measure designed to  reduce the security of consumers'
>  > money.
>  >
>  > [Barely a mention of security and risk factors anywhere to be seen.
>  > Never let negative factors enter into a marketing spiel.]
>  >
>  > Westpac trials contactless mobile payments Chris Jager Aug 7, 2012
>  > 7:00 AM (1 hour ago)
>  >
>http://www.itnews.com.au/News/311046,westpac-trials-contactless-mobile-payments.aspx
>  >
>  >
>  >
>Takes on Kaching with Android app.
>>
>  > Westpac has embarked on its second contactless mobile payments trial,
>  > inviting about 100 staff and partners to pay for items by swiping
>  > their Android devices across contactless credit card readers.
>  >
>  > The bank today unveiled a pilot application, designed for Android
>  > phones with in-built near field communications (NFC) capabilities.
>  >
>  > Users would be able to make contactless payments from their Debit
>  > MasterCard accounts via a secure element embedded in the SIM card.
>  >
>  > "Effectively, we put the Westpac Debit MasterCard details [of the
>  > customer] into the SIM card of the phone which means it can be used
>  > anywhere that contactless payments are accepted," said Axel
>  > Boye-Moller, Westpac's head of mortgages, cards and merchants.
>  >
>  > "Because it goes inside the phone, there's no additional bridging
>  > technology or plug-in hardware required," he told iTnews.
>  >
>  > Boye-Moller said the bank was trialling the pilot app with "100 or
>  > so" participants, including internal Westpac staff members and select
>  > business partners.
>  >
>  > Those participating in the pilot will be able to provide the bank
>  > with instant feedback through the app, to inform the design of the
>  > final product.
>  >
>  > The pilot app is also being used to test related customer services,
>  > such as mobile payment security issues.
>  >
>  > "If someone loses their phone, for example, we can cancel the details
>  > on the phone without cancelling the plastic card that the customer
>  > uses to access that bank account," Boye-Moller said.
>  >
>  > Boye-Moller said application was a "contactless phone" version of
>  > Mastercard's PayPass credit cards, and was intended to replace the
>  > "piece of plastic" at the point of sale.
>  >
>  > He added that Westpac had been in discussions with MasterCard about
>  > the application for "quite some time".
>  >
>  > No hardware attachments
>  >
>  > Boye-Moller suggested that the bank had decided to develop a
>  > contactless Android application so it would function on NFC-enabled
>  > devices -- including the Samsung Galaxy S III -- without requiring
>  > "any plug-in hardware or cases".
>  >
>  > Last May, Westpac trialled contactless mobile payments via what it
>  > described as a "bridging solution", for which 50 users put
>  > microchipped stickers on the backs of their phones.
>  >
>  > The Commonwealth Bank's flagship Kaching mobile payments app has
>  > allowed iPhone 4 and 4S users to make contactless payments through
>  > iCarte 420 attachment since late last year.
>  >
>  > But CommBank has yet to enable contactless payments on the Android
>  > version of Kaching, launched last month, claiming that the feature
>  > would be made available "once the respective handset and software
>  > vendors make that functionality available to the market".
>  >
>  >
>
>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list