One day will be a business school case study how NFC went from handset (started with Nokia) to telcos to banks (HCE) and then to platforms
Tweet by Dave Birch @dgwbirch, who I think nailed it.
Apple Pay is a big deal. Most people were more interested in the new iPhone, and the not-really-surprise announcement of an iWatch Apple Watch (see this if you don’t know why that’s funny). But as a payments geek, all I wanted to know about was the rumored Apple Pay capabilities from the iPhone and Apple Watch.
What I found funny – both before and after the event – was hearing negative comments that secure mobile payment and mobile wallets are not new, they’ve been around for years, and Apple is a bunch of dorks for hyping old technology. All of which is true, but it completely misses the point!
The basic technologies for secure mobile wallets and NFC payment systems have been around for years. There have been fully functional service from major firms for at least four years. There have been mobile wallets, leveraging secure element/NFC technology, outside the US for several years. One of the people who runs Google Wallet tweeted Dear iPhone 6 users: Welcome to 2012! That’s not just sour grapes – there is fact behind it.
Here’s the thing: A behind-the-scenes turf war has prevented most major players from supporting earlier solutions, so nothing achieved critical mass. The major cellular carriers saw the NFC/secure element bundle, which does the heavy lifting for secure payments, as their own domain. To access ‘their’ secure element they wanted their pound of flesh: payment each time an application on the mobile phone accessed the secure element. That pushed the financial players (including banks, card brands, and payment networks) to look for more open alternatives. Their hopes hinged on HCE, Host Card Emulation – essentially a virtual secure element. I won’t dive into the technical issues around some deploying these solutions, but there are drawbacks. And the people who build HCE’s and wallets wanted their own piece of the pie. Google, for example, wanted user data and purchase history to feed their big data machine. For security and privacy reasons this was a non-starter for many banks. As a result, great pieces of technology have been waiting on the sidelines while the players bickered over who got what.
My point is that only Apple could carry this off. Most firms can’t do what Apple can: dictate a single consistent secure element architecture for all devices, and consistently deploy the right bits onto the elements. And only Apple appeared willing to provide enough benefits for the major players in the payment space – without injecting unacceptable customer data requirements – to reach critical mass. Fanboi or hater of all things “Crapple”, you must give them credit for putting together a very well-conceived solution.
From the video of the event it looks like the Apple Watch and the iPhone 6/6+ will each have a ‘secure element’ bundled with the NFC antenna – not a new technology, already deployed in parts of Europe, but not really mass market previously. The Apple Watch will leverage skin contact to support identification, and the Touch ID fingerprint scanner on the iPhone – again, the technologies are not new, but have never been mass-market. They will abstract the credit card/PAN with a surrogate identifier – we call that tokenization here at Securosis, and it is not new technology either. What I think is new – as least this is the first time I’m aware of – is a major firm is respecting the privacy and security of users.
No, Apple is not doing this for free either. The banks and payment networks are willing to pay Apple for the reduction in payment fraud, as it has been announced that they will receive transaction fees from some partners. During the next two years the majority of Apple devices will not include secure element capabilities, but within 5 to 10 years will be a very big deal, as the majority of the Apple ecosystem offers secure and private payment. Mobile payments are not really that much easier to use than their plastic counterparts, so it can be hard to see why banks see mobile payments as such a financial lubricant, but I expect it to enable new kinds of commerce.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- David Mortman: Secure Agile Development: Agile and Agile Trends.
- Adrian Lane: Shipping Decent Breach Notification.
- Mike Rothman: Suing Gartner. I’m surprised I didn’t get more comments on this post. Kind of counter-intuitive. Unless maybe it’s not and everyone else figured out NetScout’s grandstanding before me…
Other Securosis Posts
- Incite 9/10/2014: Smile and Breathe.
- Summary: Seven Year Scratch.
- Feeding at the Data Breach Trough.
- PR Fiascos for Dummies.
- Secure Agile Development: Working with Development.
- Secure Agile Development: Agile and Agile Trends.
- Secure Agile Development: New Series.
Favorite Outside Posts
- David Mortman: J-Law Nudie Pics, Jeremiah, Privacy and Dropbox – An Epic FAIL of Mutual Distraction.
- Gunnar: Why Isn’t Apple a Leader in Security? Chris Mims’ question question is fair but deserves some context. On devices, Apple already is a leader in security, they are light years beyond Android and competitors in most security capabilities and have a way better track record in the field to show for their efforts on devices. But what about the Cloud? We haven’t the same kind of technical leadership here from Apple, and with so much user data being stored and used there, the time has come for Apple to be a security leader on the server side, too.
- Gunnar: “Innovation is alive and well at Apple. You can scream it from the rooftops.” That from Tim Cook, who later went on to announce three products that are iterations of products widely available in the market for many years (payments, watch, large screen phone). Apple likes to present as an innovator, however they do not do bleeding edge. What they really do is world class usability and QA, in other words product knowledge. I am not minimizing that and their track record speaks for itself; pick any category they are in and they usually have the best in class. But here is what I would like to see: Apple can and should add security to the list of things it does better than anyone, right next to usability and QA.
- Adrian Lane: Why Did Docker Catch on Quickly and Why is it so Interesting? If you have tried to build apps that work across cloud and virtual server environments you understand how portability is – again and still – an issue. Docker’s “Build anything once, run anywhere” model is a huge insurance policy for developers, and it ensure the delivered code is correctly configured. Think of it like an appliance you would have put into a rack, only this one really is virtualized.
Research Reports and Presentations
- The 2015 Endpoint and Mobile Security Buyer’s Guide.
- Analysis of the 2014 Open Source Development and Application Security Survey.
- Defending Against Network-based Distributed Denial of Service Attacks.
- Reducing Attack Surface with Application Control.
- Leveraging Threat Intelligence in Security Monitoring.
- The Future of Security: The Trends and Technologies Transforming Security.
- Security Analytics with Big Data.
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7.
- Eliminate Surprises with Security Assurance and Testing.
Top News and Posts
- WikiLeaks Spy Files
- Critical Fixes for Adobe, Microsoft Software
- Buffer between Target and banks. Martin does a great job explaining the relationships between different banks and card brands for credit card payment clearing.
- Why Turning Data Into Security Intelligence Is So Hard
- Apple’s Live Event Stream Failure, And Why It Happened: It Wasn’t A Capacity Issue
Blog Comment of the Week
None this week, sorry.
Comments